Oracle Micros POS Critical Flaw Affects More Than 300,000 Payment Systems


Recently, Oracle security team released a security update patch of a critical remotely exploitable vulnerability that affects MICROS Point-of-Sale (POS) Retail System business solutions for restaurant & hospitality industry.

The patch has been released as part of Oracle's January 2018 along with total 238 security vulnerabilities patches released in its various products.

Read More: The British Hero Is Forced Into Malware Confession, Lawyer Says

As per public disclosure by ERPScan, the security company which discovered and reported about this issue to the company, Oracle's MICROS EGateway Application Service, deployed by more than 300,000 retailers and business companies worldwide, is vulnerable to directory traversal vulnerability attack.

If the vulnerability exploited, (CVE-2018-2636) vulnerability  can allow anyone to has access to the vulnerable URL, the attacker can steal numerous files from the MICROS workstation containing services logs and read files like SimphonyInstall.xml or Dbconfix.xml which contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

The attacker can also snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.

ERPScan has also released a proof-of-concept Python-based exploit