Bug Infestation in Hotels: Oracle Property Management Software May Be Vulnerable
Oracle, one of the widely used property management software vendors in the hospitality industry, has reported a vulnerability in its “Oracle Hospitality Opera 5 Property Services” product as part of its April 2023 security update. The vendor rated the CVE-2023-21932 vulnerability at a moderate severity level of 7.2 on the CVSS scale, stating that only an authenticated attacker with highly privileged access could exploit it. However, researchers who discovered and reported the flaw to Oracle have called it a complex and highly critical vulnerability. They have achieved pre-authentication remote code execution using the bug at a live hacking event and, according to them, the vulnerability could result in an attacker exploiting unauthenticated access to the software and its data.
Inherent Threat to Privacy and Security in the Hospitality Industry
The Oracle Opera software, also known as Micros Opera, is a property management system that hotels and hotel chains worldwide use for central reservations, guest services, accounting and other operations. The security flaw could potentially provide attackers with personally identifiable information, credit card data, and other sensitive information belonging to guests or even allow them to gain unauthorized access to the system.
Patch Urgently Recommended
Oracle has not yet responded to the report, and the vulnerability still exists in version 5.6 of the Opera 5 Property Services platform. Given the seriousness of the vulnerability and the potential impact it could have on the industry, all hotels using this particular software should immediately patch any potentially infected system and closely monitor their networks for suspicious activity.
The Risk Associated with Order of Operation Bugs
The vulnerability that the researchers discovered is called an “order of operations” bug. It happens when an encrypted payload is sanitized for two specific variables in an Opera code segment and then decrypted out of order. Attackers can then sneak in any payload via these variables without any sanitization happening, the researchers said. According to them, it is a rare bug that is difficult to identify and potentially even harder to fix, but it is this bug that malicious actors could use to gain access to unauthenticated data in the Oracle Opera software.
Oracle Needs to Do Better
While this vulnerability is a significant concern, researchers say it is only one of many flaws in the Oracle Opera software. In their assessment, at least some of these have yet to be addressed by the company, which has taken almost a year to release a patch for this particular bug after it was disclosed to them. Security researcher Kevin Beaumont added that several search queries could be used to find hotels and other entities using Opera, and every property he found via these queries remains unpatched.
In conclusion, the hospitality industry should take this vulnerability very seriously and move urgently to patch, secure data, and investigate their networks for any signs of unauthorized access or attempts to exploit this vulnerability. Meanwhile, Oracle must prioritize the security of its property management software and make it a top priority to identify and patch bugs to prevent further exploits.
<< photo by Havilah Galaxy >>
You might want to read !
- “Collaborative Efforts of Consilient Inc. and Harex InfoTech Aim to Combat Financial Crime in South Korea”
- Apple Releases Rapid Security Response Patch for Cyberattacks, Leaves Some Users Confused
- Coalfire Compliance Report: Navigating the Future of Regulatory Compliance
- How the Evolution of Industrial Security is Ensuring Uninterrupted Operations
