[ERPSCAN-18-002] Oracle MICROS POS missing authorisation check

Application: Oracle MICROS POS
Versions Affected: Oracle Hospitality Simphony 2.7-2.9
Vendor URL: Oracle
Bug: Missing Authentication for Critical Function
Reported: 21.07.2017
Vendor response: 22.07.2017
Date of Public Advisory: 17.01.2018
Reference: Oracle CPU January 2018
Author: Dmitry Chastuhin (ERPScan) aka @_chipik


Class: Missing Authentication
Risk: High
Impact: Provides an attacker with the privilege to read sensitive data
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-2636

CVSS Information

CVSS Base Score v3: 8.1 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) High (H)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality High (H)
I: Impact to Integrity High (H)
A: Impact to AvailabilityHigh (H)


A remote unauthenticated attacker can read any file and receive information on various services without authentication from a vulnerable MICROS workstation. The attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data.


Oracle Hospitality Simphony: 2.7
Oracle Hospitality Simphony: 2.8
Oracle Hospitality Simphony: 2.9


To correct this vulnerability, implement Oracle CPU January 2018


Proof of Concept

In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfig.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

You can find more information on CVE-2018-2636 in our blog and script to be sure that your environment has no such vulnerabilities.