Hackers have a new security flaw in their arsenal they can exploit to install POS malware on Oracle Micros point-of-sale systems.
Oracle issued updates for this issue earlier this month, but it will take months until the patch lands on affected POS systems.
The reason is that POS systems are business critical systems, and sysadmins rarely schedule maintenance and update operations, fearing that an unstable patch might cause further downtime and financial losses to their companies.
The flaw is nothing to ignore, according to Dmitry Chastuhin, the ERPScan security researcher who discovered the issue (tracked as CVE-2018-2636).
Chastuhin says the vulnerability allows an attacker to collect configuration files from Micros POS systems. The retrieved data can then be used to grant attackers full and legitimate access to the POS system and attached services (database, server).
In the most common scenario, an attacker would most likely install POS malware to collect payment card details, but an attacker could also install other types of malware for corporate espionage and proxy endpoints for future attacks, or more.
The flaw can be exploited remotely via carefully crafted HTTP requests. A Shodan search shows that around 170 poor souls have misconfigured their POS systems, which are now available online and could be exploited if they have not been updated with Oracle's patches.
Oracle says that over 300,000 companies have chosen to deploy Micros POS systems to handle credit/debit card payments. This means that most systems are not exploitable via the Internet.
But these systems are also vulnerable. Hackers can compromise other systems on the store's internal network, and use them as relay points for the attack code.
In addition, an attacker can always visit the store, identify an open networking port, distract the store staff, and infect the POS system by connecting a small Raspberry Pi board that runs the malicious exploit code.
Patches for this flaw were made available in Oracle's Critical Patch Update (CPU) for January 2018. Oracle bought MICROS Systems, Inc. in 2014 for $5.3 billion. Currently, Oracle is the third-largest provider of PoS software on the market. The company suffered a security breach of its Micros network in 2016.