Hotels at Risk From Bug in Oracle Property Management Software

The thousands of hotels and other entities in the hospitality industry worldwide using Oracle's Opera property management system might want to quickly patch a flaw in the software that Oracle disclosed in its April 2023 security update.

Oracle has described the vulnerability (CVE-2023-21932) as a complex bug in the Oracle Hospitality Opera 5 Property Services product that only an authenticated attacker with highly privileged access could exploit. The vendor assigned it a moderate severity rating of 7.2 on the CVSS scale based among other things on the apparent fact that an attacker could not exploit it remotely.

Incorrect Assessment

But the researchers who actually discovered and reported the flaw to Oracle disagree with the company's characterization of the vulnerability and called it incorrect.

In a blog post, the researchers — from attack surface management firm Assetnote and two other organizations — said they had achieved pre-authentication remote code execution using the bug when participating at a live hacking event last year. The researchers described the target in that event as one of the largest resorts in the US.

"This vulnerability does not require any authentication to exploit, despite what Oracle claims," Shubham Shah, co-founder and CTO of Assetnote, said in a blog post this week. "This vulnerability should have a CVSS score of 10.0."

Oracle did not respond to a Dark Reading request for commentary on the researchers' assessment of the vulnerability.

Oracle Opera, also known as Micros Opera, is a property management system that hotels and hotel chains worldwide use to centrally manage reservations, guest services, accounting and other operations. Its customers include major chains such as the Wyndham Group, Radisson Hotels, Accor Hotels, Marriott, and IHG.

Attackers who exploit the software can potentially gain access to personally identifiable information, credit card data, and other sensitive information belonging to guests. CVE-2023-21932 exists in version 5.6 of the Opera 5 Property Services platform.

Oracle said the vulnerability allows attackers who exploit it to reach to all data in which Opera 5 Property Services has access. It also would let attackers update, insert, or delete access to at least some of the data in the system.

An Order of Operations Bug

Shah, a bug hunter on the HackerOne platform, discovered the vulnerability while conducting a source-code analysis of Opera in collaboration with Sean Yeoh, engineering lead at Assetnote, Brendan Scarvell, a pen tester with PwC Australia, and Jason Haddix, CISO at adversary emulation company BuddoBot.

Shah and the other researchers identified CVE-2023-21932 as having to do with an Opera code segment sanitizing an encrypted payload for two specific variables, and then decrypting it, instead of doing it the other way around. This type of an "order of operations" bug gives attackers a way to sneak in any payload via the variables without any sanitization happening, the researchers said.

"Order of operations bugs are really rare, and this bug is a very clear example of this bug class," Shah tweeted this week.

"We were able to leverage this bug to gain access to one of the biggest resorts in the US, for a live hacking event."

The researchers outlined the steps they took to overcome specific controls in Opera to achieve pre-authentication execution, noting that none of them required any kind of special access or knowledge of the software.

"All steps performed in the exploitation of this vulnerability were without any authentication," they wrote. They claimed Oracle took almost a full year to release the bug after being notified about it.

Responding to the Assetnote blog, security researcher Kevin Beaumont said there were several Shodan queries an attacker could use to find hotels and other entities using Opera. Beaumont said every property he found via Shodan was unpatched against the flaw. "At some stage, we need to talk about Oracle product security," Beaumont said.

According to Shah and the other researchers, CVE-2023-21932 is just one of many flaws in Oracle Opera — at least some of which the company has not addressed. "Please do not expose this to the Internet, ever," they wrote.