Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Credit Card numbers are showing in free space after trans, SAP security note 1498368

Description

It has come to our attention that credit card data is not being cleared correctly from the hard disk where the SAP POS resides. Upon making a payment through the point of sale and Centralized EFT solution, a message is generated in memory to request authorization. When the message is returned back, the transaction will authorize (or decline) and complete the transaction. At that time the message is cleared from memory.  However, it has been determined that, sensitive card data can remain on the hard disk sector. Since this is a violation of the Payment Card Industry (PCI) Data Security Standard, this will be a sensitive issue for most retailers using the SAP POS solution.

* What are the affected versions?
Releases prior to and including
SAP POS v1.0 (POS v9.5 and all customer branches)
SAP POS v2.0 (POS v10.0 and all customer branches)
SAP POS v2.1 (POS v10.1 and all customer branches)
SAP POS v2.2 (POS v10.2 and all customer branches)
To determine the version of the SAP POS application you are using, run a Manager Code 999 from the POS UI.

* How can the customer find out the used version in his systems?
To determine the version of the POS application you are using, run a Manager Code 999 from the POS UI.

* What are the fixed versions and patch levels?
Core Product SAP POS v2.1 and 2.2 have been corrected and are available.

* Where and how to get the fixed versions? (recommendation: provide a separate note for it – just referring to the SAP Service Marketplace is not very helpful)
You may request a fix for this security issue, please contact Active Global Support to coordinate a fix for your release.

* What is the risk the customer is taking if he is not patching?
Should you decide not to apply the security fix, credit card data can appear in plain text on the hard drive.

* What is the workaround?
A possible workaround for this issue would be to use a stand beside terminal and not use the integrated EFT solution with the SAP POS solution. Ensuring that your POS environment is secure is also critical to ensure potential thieves cannot gain access to your network environment.

* What are mitigation options?
SAP has completed a security update that can be obtained from Active Global Support.

* What is the influence of the correction on productive business processes?
The security update can be applied via the Unattended Upgrade capability. For information on Unattended Upgrade, please consult your user reference manuals and documentation.

* How can the customer test whether the note is applied correctly and all related productive business processes are still working?
Running a Manager Code 999 on the POS will show an update in the build number.

Available fix and Supported packages

  • XPRESSBU | 1010 | 1010
  • XPRESS | 1020 | 1020

Affected component

    IS-R-TGM-POS
    Transactionware GM-POS

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1498368

TAGS

#

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.