Security researchers have devised a way to offer steep discounts or steal goods by hacking vulnerable point-of-sale systems. The researchers at cybersecurity firm ERPScan, which has a commercial stake in the space, found that SAP's point-of-sale (POS) systems don't authenticate or check internal commands, allowing anyone with access to the store's network unrestricted access to the checkout system. That might not be so difficult when various devices and machines around the store are also ethernet-connected, making a plug and play-style attack easier than others. All the hacker has to do is upload a new configuration file to the SAP Xpress server, which controls the checkout machines, to gain access to administrative functions. That access allows the unauthenticated hacker to change prices, set discounts, or take other malicious actions against the systems -- including remotely shutting down the checkout machines, or unmasking credit card numbers.
A vulnerability discovered by security researchers in a popular point of sales system allows attackers to steal credit card and payment information, alter vital files within the system and change the prices for any item. Researchers at cybersecurity firm ERPScan first discovered the vulnerability, which affects the SAP POS Xpress Server and SAP point-of-sale clients, the system customers interact with when they pay a retailer. "Enterprises struggle with managing risk from third-party unmanaged assets on their network that are vulnerable, such as PoS systems. These devices are a part of critical business processes and have a significant breach impact," Gaurav Banga, the founder and CEO of Balbix, a firm that specializes in data breach resistance, told International Business Times. Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco.
Oracle has released another large batch of patches, fixing many critical vulnerabilities in enterprise products that are used to store and work with critical business data. About 40 percent of the patched flaws are located in Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products and Oracle Database Server. Many of these flaws can be exploited remotely without authentication to compromise the affected components. In total, Oracle's October Critical Patch Update (CPU) contains 253 security fixes across hundreds of products including database servers, networking components, operating systems, application servers and ERP systems. In databases, 31 flaws were patched in MySQL and 12 in the Oracle Database Server.
Oracle has released a record 299 security fixes for vulnerabilities in its products, including patches for a widely exploited vulnerability in the Apache Struts framework and a Solaris exploit supposedly used by the U.S. National Security Agency. The Struts vulnerability allows for remote code execution on Java web servers and was patched on March 6. Attackers have quickly adopted it and have used it in widespread attacks since then. Oracle uses Apache Struts 2 in several of its products, which is why Tuesday's critical patch update (CPU) fixed 25 instances of the vulnerability in Oracle Communications, Retail and Financial Services applications, as well as in the MySQL Enterprise Monitor, Oracle WebCenter Sites, Oracle WebLogic Server and the Siebel E-Billing app. The company also fixed the vulnerability behind the EXTREMEPARR exploit for Solaris 10 that was leaked recently by a group called Shadow Brokers as part of a larger data dump of alleged NSA cyber tools.