A recently patched vulnerability (CVE-2023-21932) in Oracle Opera, a property management system widely used in large hotel and resort chains, is more critical than Oracle says it is and could be easily exploited by unauthenticated remote attackers to access sensitive information, a group of researchers has warned.
Oracle Opera landing page (Source: Assetnote)
What’s more, these systems are often exposed to the internet and they are not hard to find. According to security researcher Kevin Beaumont, there’s a number of queries one can use on Shodan to pinpoint them and every one he has found is unpatched.
Oracle Opera, also known as Micros Opera, is a solution many companies in the hospitality industry – more specifically, those offering lodging and related services – use to manage reservations, sales, housekeeping, catering, and deliver personalized guest experiences.
As researchers Shubham Shah, Sean Yeoh, Brendan Scarvell and Jason Haddix explained, the dated design of the solution’s landing page and its specialized nature spurred them to probe it for flaws – and they found one.
CVE-2023-21932 affects version 5.6 of the Oracle Hospitality OPERA 5 Property Services product and may allow attackers to access, update or insert critical data accessible via the solution. According to Oracle, the vulnerability is difficult to exploit and the attacker needs high privileges and network access via HTTP.
The researchers disagree, and have shown how attackers can easily achieve pre-auth command execution after obtaining a JNDI connection name from specific URLs and breaking the solutions’ encryption scheme and repurposing it to encrypt arbitrary strings.
Finally, they created a payload to upload a CGI web shell to the local file system.
“RCE is possible without any special access or knowledge. All steps performed in the exploitation of this vulnerability were without any authentication. This vulnerability should have a CVSS score of 10.0,” they concluded.
According to Shah, they were able to leverage this bug to gain access to one of the biggest resorts in the US during a live hacking event.
Organizations using the Oracle Opera solution should quickly implement the patches provided by Oracle in April.
With all this information now public and many unpatched internet-facing installations out there, its possible and likely that attackers will quickly start trying to exploit the flaw and grab sensitive data.
But, as Shah noted, a thorough code security audit of the product is sorely needed.
“There are still a tonne of vulnerabilities that are not patched. XXE, Arb File Write, Full read SSRF. If you audit this software, you will likely find another critical pre-auth chain,” he said. “My advice for anyone that runs this software is to get it off the external internet.”