A high severity vulnerability in the SAP POS server was found by security researchers from ERPScan, the vulnerability enables attackers to modify configuration files for SAP Point-of-Sale (POS) systems, change prices, and obtain payment card data and send it to one of their servers.
“The point of sale (POS) or point of purchase (POP) is the time and place where a retail transaction is completed.”
“SAP POS, a client/server point-of-sale (POS) solution, has long defined the standard of excellence in the POS industry. SAP POS meets the needs of a wide variety of retailers. Retail Customers include department, c-store, liquor, gas, specialty, apparel, big box, and a number of other retail verticals.”
Researchers said that SAP POS Xpress Server does not implement any authentication checks for significant functionality that needs user identity. For that, administrative and other privileged functions can be reached without any authentication procedure thus enabling anyone who gets into the network to modify prices or set discounts.
“It’s no secret that POS systems are plagued by vulnerabilities and numerous incidents occurred because of their security drawbacks came under the spotlight. Unlike the majority of such malware designed to steal customers’ data, this one provides cyber attackers with an unfettered control over the whole POS system. Multiple missing authorization checks on the server side of SAP POS allowed a hacker to use a legitimate software functionality (which must have restricted access), meaning that malicious actions are difficult to detect.”
—commented Alexander Polyakov, CTO at ERPScan.
The vulnerability has been reported to SAP in April 2017, and patched in “SAP Security Note 2476601” and “SAP Security Note 2520064”.
