SAP POS Xpress Server does not perform any authentication checks for critical functionality that requires user identity. As a result, administrative and other privileged functions can be accessed without any authentication procedure thus allowing anyone who gets into the network to change prices or set discounts. The vulnerabilities were identified by ERPScan researchers and reported to the vendor back in April 2017.
It’s no secret that POS systems are plagued by vulnerabilities and numerous incidents occurred because of their security drawbacks came under the spotlight. Unlike the majority of such malware designed to steal customers’ data, this one provides cyber attackers with an unfettered control over the whole POS system. Multiple missing authorization checks on the server side of SAP POS allowed a hacker to use a legitimate software functionality (which must have restricted access), meaning that malicious actions are difficult to detect.
“The major part of other POS malware is a one-trick pony as it allows nothing but compromise data. Of course, it’s a costly risk, but the vulnerabilities we found go much further. Stealing credit card number, setting up prices and special discounts, remote starting and stopping a POS terminal – all of these options are on the hacker’s menu.”commented Alexander Polyakov, CTO at ERPScan.
WHAT IS SAP POS?
SAP POS is a part of the SAP for Retail solution portfolio, which serves 80% of the retailers in the Forbes Global 2000. As the name implies, SAP POS is a client-server point-of-sale solution developed by the German-based vendor.
In general, SAP POS consists of the following elements:
Client applications installed on POS terminal located in a shop; this part is used to process transactions;
Store Server components in the store’s back office providing connective, operative and administrative functions. Among them, there is the POS Xpress server, a store-level server application.
Applications running in the head office to enable central management.
To exploit the missing authorization checks in SAP POS Xpress server, one needs an access to the network where SAP POS is located. This network can be exposed to the Internet, thus the attack can be conducted remotely. If not, it is still possible to obtain access, for example, by connecting Raspberry Pi to electronic scales inside a shop.
It means to access the network of a retail giant you need a tool, which costs only $25.
Once you are in, you have unlimited control over the backend and frontend of the POS system, as the tool can upload a malicious configuration file on the SAP POS Xpress Server without any authentication procedure.
New parameters are limited by hackers’ imagination: they can set special price or discount, the time the discount is valid, the conditions under which it works – for example, when purchasing a specific product.
In our case, we set up an incredible discount to a MacBook.
The Xpress Server receives new settings. To apply them, the hacker sends certain commands to the Xpress server so that it restarts a POS terminal. The latter, in its turn, downloads attacker’s configurations and applies them.
Now little remains to be done – the attacker needs just to come and buy the incredibly cheap MacBook.
HOW TO PROTECT
We encourage organizations to implement the appropriate patches (SAP Security Note 2476601 and SAP Security Note 2520064) as soon as possible to protect their business-critical assets.
I’m a big retailer. How can I check if our POS system is exposed to the attack?
If you use POS solution from SAP you are vulnerable unless you install the latest patches released on Monday, 21st of August.
Are other POS solutions vulnerable to the same bug?
We haven’t tested other solutions yet. In general, vulnerabilities of this type can be discovered in other solutions as well.
A cashier would notice that something is wrong when you’ll try to buy a MacBook for $1.
Of course, the price of $1 is an exaggeration. In the event one is purchasing multiple items, a cashier may overlook that some of them are priced lower. However, to be perfectly safe, an attacker would never be that bold, a discount of 10-20% would go unnoticed.
Are attacker’s actions limited to the described scenario?
The missing authorization checks allow an attacker to perform every administrative function the service provides. For example, it’s possible to disclose credit card data by changing mask and printing their numbers on receipts (prohibited by PCI Data Security Standard) or sending this information to the hacker’s server. Another vector is to turn the POS systems off remotely, which will bring significant losses for a victim merchant.