Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Application Management. Show all posts

Vulnerability in Oracle Property Management Software Puts Hotels at Risk

 

The hundreds of hotels and other hospitality-related organisations across the globe who use Oracle's Opera property management system may wish to immediately patch a bug that Oracle revealed in its April 2023 security update. 

Only an authenticated attacker with highly privileged access might take use of the vulnerability (CVE-2023-21932), according to Oracle, which has defined it as a complicated flaw in the Oracle Hospitality Opera 5 Property Services software. Based on factors like the apparent inability of an attacker to remotely exploit it, the vendor gave it a moderate severity rating of 7.2 on the CVSS scale. 

Inaccurate evaluation 

Oracle's description of the vulnerability is incorrect, according to the researchers who actually found and reported the bug to the firm. 

The researchers from Assetnote, a company that manages attack surfaces, and two other organisations claimed in a blog post that they had used the weakness to pre-authenticate remote code execution while taking part in a live hacking event in 2017. One of the biggest resorts in the US was mentioned by the researchers as the target in that incident. 

"This vulnerability does not require any authentication to exploit, despite what Oracle claims," Shubham Shah, co-founder and CTO of Assetnote, explained in a blog post this week. "This vulnerability should have a CVSS score of 10.0."

In order to centrally manage reservations, guest services, accounting, and other activities, hotels and hotel chains all over the world use Oracle Opera, also known as Micros Opera. Major hotel brands like Marriott, IHG, Radisson, Accor, and the Wyndham Group are among its clients. 

Attackers who use the software to their advantage may be able to obtain guests' sensitive personal information, credit card information, and other data. The Opera 5 Property Services platform's version 5.6 contains the bug CVE-2023-21932. 

Oracle claimed that the flaw enables attackers to access all data that Opera 5 Property Services has access to. A portion of the system's data would also be accessible to attackers, who might edit, add, or remove it. 

Shah, a bug hunter on the HackerOne platform, in connection with Sean Yeoh, engineering lead at Assetnote, Brendan Scarvell, a pen tester with PwC Australia, and Jason Haddix, CISO at adversary emulation firm BuddoBot, conducted a source-code analysis of Opera and found the vulnerability. 

Shah and the other researchers determined that CVE-2023-21932 involved an Opera code fragment that decrypts an encrypted payload after sanitising it for two particular variables rather than the other way around.

According to the researchers, this kind of "order of operations" flaw enables attackers to use the variables to smuggle in any payload without any sanitization taking place.

"Order of operations bugs are really rare, and this bug is a very clear example of this bug class," Shah tweeted earlier this week. "We were able to leverage this bug to gain access to one of the biggest resorts in the US, for a live hacking event." 

The researchers gave an explanation of the steps they took to get around particular restrictions in Opera in order to execute pre-authentication, noting that none of them required any kind of specialised access or software knowledge. 

Security expert Kevin Beaumont claimed there were a number of Shodan queries an attacker might use to discover hotels and other companies using Opera in response to the Assetnote blog.

According to Beaumont, every property he discovered using Shodan was not patched. We must eventually discuss Oracle product security, Beaumont stated.

CVE-2023-21932 is only one of many bugs in Oracle Opera, according to Shah and the other researchers, at least some of which the company has not fixed. Please never post this on the Internet, they pleaded.

Shadow IT, SaaS Pose a High Security Threat for Businesses

 

Software as a service (SaaS) has undeniably reached the height of its popularity. Modern corporate operations and continuity depend today more than ever on software technologies. The right procurement procedures haven't yet been adopted by enough businesses, despite this, so they can't be sure they're safeguarding their reputations and preventing data breaches. 

The growing practise of "shadow IT," which refers to when employees download and utilise software solutions without informing their internal IT personnel, is a crucial factor causing worries about SaaS management. According to a recent poll, more than 65% of IT professionals claim their SaaS tools aren't getting approved, and 77% of them anticipate that shadow IT will become a serious issue in 2023. As the use of SaaS spreads, organisations are starting to struggle with managing security in addition to the obvious worries about overspending and the disruptions to operational effectiveness. 

Unfortunately, for many organisations, ignoring shadow IT is no longer an option. The average cost of data breaches and other security attacks to firms is $4.5 million, and a rising software market is largely to blame for many of these incidents. Organisations must implement an efficient procurement procedure when bringing on new software solutions and increase visibility over their SaaS stacks to prevent shadow IT and the high risks that go along with it. 

Why does Shadow IT pose such a risk? 

The lack of visibility within an organisation is the root cause of all shadow IT problems. IT teams have no control over the use and distribution of sensitive company data when a software stack is not maintained. Most organisations do not fully protect the data these tools retain because they do not properly vet them and do not monitor them. 

This sets up the ideal environment for hackers to quickly steal crucial data, such as private financial records or personal information. Because most, if not all, SaaS products require corporate credentials and access to an organization's internal network, crucial company data is at risk. According to a recent poll by Adaptive Shield and CSA, 63% of CISOs have reported security problems resulting from this kind of SaaS misuse in the previous year alone. 

Consequences of loopholes 

As previously said, the possibility of a data breach is a recurrent trend that many firms are encountering with shadow IT. However, it is also crucial to be aware of the potential regulatory fines and industry scrutiny that organisations may experience as a result of the widespread usage of shadow IT. 

Unauthorised software is likely to fall short of the compliance requirements set forth by laws like the General Data Protection Regulation (GDPR), the Federal Information Security Management Act (FISMA), and the Health Insurance Portability and Accountability Act (HIPAA), which businesses are required to uphold. For businesses in sectors with rigorous regulations, penalties for noncompliance can result in irreversible reputational harm, which cannot be remedied by merely paying the corresponding fine. 

Organisations are unaware of the wasted operating dollars spent on tools and applications, in addition to the costs related to a security failure and the reputational harm a business suffers. Due to issues like rogue subteams, departments providing their own software, or employees using corporate credentials to access freemium or single-seat tools, it can be difficult for large organisations to find all the applications that the company never approved. 

Mitigation Tips

Acquiring visibility into the current software stack is an essential first step in addressing an organization's SaaS sprawl and making sure that shadow IT never puts you in a precarious situation. Without visibility, a company won't know what tools are being utilised and won't be able to decide whether or not to centralise its software. IT teams should put their efforts into updating the documentation for their software portfolio and keeping track of application functions, software usage, the contract/subscription duration of each tool, and cost. 

IT teams can determine which tools are crucial and where modifications can be made after access to this information is gained and correctly maintained. After doing some housekeeping, firms can set up a centralised procurement system to make sure that all future purchases are coordinated between departments and that any security or compliance requirements are constantly satisfied to avoid security lapses and legal repercussions. With access to these records, organisations can easily keep track of every usage, cutting down on wasteful spending and security lapses.