The hundreds of hotels and other hospitality-related organisations across the globe who use Oracle's Opera property management system may wish to immediately patch a bug that Oracle revealed in its April 2023 security update.
Only an authenticated attacker with highly privileged access might take use of the vulnerability (CVE-2023-21932), according to Oracle, which has defined it as a complicated flaw in the Oracle Hospitality Opera 5 Property Services software. Based on factors like the apparent inability of an attacker to remotely exploit it, the vendor gave it a moderate severity rating of 7.2 on the CVSS scale.
Inaccurate evaluation
Oracle's description of the vulnerability is incorrect, according to the researchers who actually found and reported the bug to the firm.
The researchers from Assetnote, a company that manages attack surfaces, and two other organisations claimed in a blog post that they had used the weakness to pre-authenticate remote code execution while taking part in a live hacking event in 2017. One of the biggest resorts in the US was mentioned by the researchers as the target in that incident.
"This vulnerability does not require any authentication to exploit, despite what Oracle claims," Shubham Shah, co-founder and CTO of Assetnote, explained in a blog post this week. "This vulnerability should have a CVSS score of 10.0."
In order to centrally manage reservations, guest services, accounting, and other activities, hotels and hotel chains all over the world use Oracle Opera, also known as Micros Opera. Major hotel brands like Marriott, IHG, Radisson, Accor, and the Wyndham Group are among its clients.
Attackers who use the software to their advantage may be able to obtain guests' sensitive personal information, credit card information, and other data. The Opera 5 Property Services platform's version 5.6 contains the bug CVE-2023-21932.
Oracle claimed that the flaw enables attackers to access all data that Opera 5 Property Services has access to. A portion of the system's data would also be accessible to attackers, who might edit, add, or remove it.
Shah, a bug hunter on the HackerOne platform, in connection with Sean Yeoh, engineering lead at Assetnote, Brendan Scarvell, a pen tester with PwC Australia, and Jason Haddix, CISO at adversary emulation firm BuddoBot, conducted a source-code analysis of Opera and found the vulnerability.
Shah and the other researchers determined that CVE-2023-21932 involved an Opera code fragment that decrypts an encrypted payload after sanitising it for two particular variables rather than the other way around.
According to the researchers, this kind of "order of operations" flaw enables attackers to use the variables to smuggle in any payload without any sanitization taking place.
"Order of operations bugs are really rare, and this bug is a very clear example of this bug class," Shah tweeted earlier this week. "We were able to leverage this bug to gain access to one of the biggest resorts in the US, for a live hacking event."
The researchers gave an explanation of the steps they took to get around particular restrictions in Opera in order to execute pre-authentication, noting that none of them required any kind of specialised access or software knowledge.
Security expert Kevin Beaumont claimed there were a number of Shodan queries an attacker might use to discover hotels and other companies using Opera in response to the Assetnote blog.
According to Beaumont, every property he discovered using Shodan was not patched. We must eventually discuss Oracle product security, Beaumont stated.
CVE-2023-21932 is only one of many bugs in Oracle Opera, according to Shah and the other researchers, at least some of which the company has not fixed. Please never post this on the Internet, they pleaded.