Retail and hospitality businesses urged to patch Micros flaw

Security researchers at ERPScan have published details of a “severe” vulnerability in Oracle Corporation’s Micros point-of-sale (POS) terminals that could allow an attacker to read sensitive data from devices.

With a CVSS score of 8.1, the directory traversal vulnerability could enable an unauthorized third party to read files from POS systems remotely without authentication and access the configuration file that stores sensitive information, including passwords.

According to ERPScan, Oracle released a patch that closed the vulnerability in January. However, the cybersecurity group said “not every vendor dared install it”, leaving some businesses exposed to the loss of sensitive data.

Oracle acquired Micros Systems, a provider of integrated software and hardware solutions to the hospitality and retail industries, back in 2014. Micros-branded POS solutions are currently used by 330,000 sites in 180 countries.

News of the directory traversal vulnerability follows an incident in 2016 where hackers compromised Micros systems through the customer service portal.

POS security once again fell under the spotlight in November, as US fashion retailer Forever 21 alerted its customers to a potential card data breach resulting from unencrypted payment systems.

Providing an update to customers earlier this year, the Los Angeles-based company said forensic experts found signs of unauthorized network access and POS malware designed to search for payment card data.