Toshiba Addressing Vulnerabilities in its Retail Software

Toshiba has eliminated a hard-coded cryptographic key in its CHEC software, but is dealing with an information-disclosure bug in its 4690 operating system.

Toshiba last week patched a potentially serious vulnerability in its CHEC self-checkout software prevalent in retail locations, while it is still wrangling with another security issue in its point-of-sale offering.

The vulnerabilities were reported in August 2014 by David Odell of FishNet Security, and were addressed last Tuesday in separate advisories.

The vulnerability in Toshiba CHEC, or Checkout Environment for Consumer-Service, was a hard-coded cryptographic key that affected versions 6.6 and 6.7, and possibly older versions of the software as well.

Toshiba urges users to upgrade to versions 6.6 build level 4014 and 6.7 build level 4329, according to an advisory released Monday by the DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University.

The hard-coded cryptographic key was located in the CreateBossCredentials.jar file, the advisory said, which was removed in the updated versions.

“An attacker that can access the file may be able to use the hard-coded AES key to decrypt its contents, including the BOSS database credentials,” the advisory said. The BOSS database is part of the Back Office Application that accompanies the CHEC client.

The second vulnerability was discovered in the Toshiba 4690 operating system, which is a point-of-sale OS that was acquired in 2012 from IBM. Retail customers use the OS to run a number of other IBM retail applications.

Version 6, release 3, and possibly other earlier versions, are affected by an information disclosure vulnerability, a CERT advisory said.

“Sending a special string to TCP port 54138 causes system environment variables and other information to be returned to an unauthenticated client,” the CERT advisory said. “The vendor has stated that this disclosure occurs by design as part of the support capabilities of 4690.”

The advisory cautions that the data returned contains information about the state of the 4690 OS, but does not contain sensitive transaction information that would come under the Payment Card Institute Data Security Standard (PCI-DSS).

“The information is generally the same as that available by local 4690 APIs or from RMA, the 4690 OS system management function,” the advisory said. As a result, a remote unauthenticated attacker could gain access to system information that could be used in other attacks.

CERT said it is unaware of a fix, and suggests a workaround provided by Toshiba, that includes disabling the ADXSITCF logical name to the string –q.

“This will disable the services that connect with the network to provide this information, however it will also disable RMA system management data collection as well as prevent the use of ADXSITQL by support teams for gathering information without dumping the machine,” CERT said in its advisory.

Suggested articles