Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Credit Card numbers are showing in free space after trans, SAP security note 1498368

Description

It has come to our attention that credit card data is not being cleared correctly from the hard disk where the SAP POS resides. Upon making a payment through the point of sale and Centralized EFT solution, a message is generated in memory to request authorization. When the message is returned back, the transaction will authorize (or decline) and complete the transaction. At that time the message is cleared from memory.  However, it has been determined that, sensitive card data can remain on the hard disk sector. Since this is a violation of the Payment Card Industry (PCI) Data Security Standard, this will be a sensitive issue for most retailers using the SAP POS solution.

* What are the affected versions?
Releases prior to and including
SAP POS v1.0 (POS v9.5 and all customer branches)
SAP POS v2.0 (POS v10.0 and all customer branches)
SAP POS v2.1 (POS v10.1 and all customer branches)
SAP POS v2.2 (POS v10.2 and all customer branches)
To determine the version of the SAP POS application you are using, run a Manager Code 999 from the POS UI.

* How can the customer find out the used version in his systems?
To determine the version of the POS application you are using, run a Manager Code 999 from the POS UI.

* What are the fixed versions and patch levels?
Core Product SAP POS v2.1 and 2.2 have been corrected and are available.

* Where and how to get the fixed versions? (recommendation: provide a separate note for it – just referring to the SAP Service Marketplace is not very helpful)
You may request a fix for this security issue, please contact Active Global Support to coordinate a fix for your release.

* What is the risk the customer is taking if he is not patching?
Should you decide not to apply the security fix, credit card data can appear in plain text on the hard drive.

* What is the workaround?
A possible workaround for this issue would be to use a stand beside terminal and not use the integrated EFT solution with the SAP POS solution. Ensuring that your POS environment is secure is also critical to ensure potential thieves cannot gain access to your network environment.

* What are mitigation options?
SAP has completed a security update that can be obtained from Active Global Support.

* What is the influence of the correction on productive business processes?
The security update can be applied via the Unattended Upgrade capability. For information on Unattended Upgrade, please consult your user reference manuals and documentation.

* How can the customer test whether the note is applied correctly and all related productive business processes are still working?
Running a Manager Code 999 on the POS will show an update in the build number.

Available fix and Supported packages

  • XPRESSBU | 1010 | 1010
  • XPRESS | 1020 | 1020

Affected component

    IS-R-TGM-POS
    Transactionware GM-POS

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1498368

TAGS

#

More to explorer