Check-Out With Extra Charges - Vulnerabilities in Hotel Booking Engine Explained

Booking engines – they make the worlds of travel and hospitality spin around. Estimated at over $US 500 billion, this market moves fast. These engines are a critical, nearly invisible part of the hospitality industry, and their security is essential to protect guests’ personal and financial information. Occasionally, booking technology falls victim to motivated threat actors who use vulnerabilities in code to get access to sensitive customer information such as name, address, email address, phone number, credit or debit card number, expiration date, and security code or card verification code.

This was the case of a cyber-attack discovered back in 2021 against the IRM Next Generation online booking engine built by Resort Data Processing, Inc. (“RDP”). This attack is probably not singular amongst the wide range of online booking engines built by various other software companies. However, it is closely related to an investigation that Bitdefender was called in for help. Incidentally, the results of the investigation also helped us understand how the 2021 cyber-attack against IRMNg took place and we’re drafting our findings in this report to help other business entities stay protected.

Attack at a glance

While investigating anomalous activity, Bitdefender researchers found malicious files on servers running the IRM Next Generation online booking engine built by Resort Data Processing, Inc.

Our investigation reveals the extent of the attack but also outlines several vulnerabilities in the IRM Next Generation online booking engine that were identified, catalogued and responsibly reported to the vulnerable vendor as per the timeline below.

Identified vulnerabilities

• CVE-2023-39420 - Use of Hard-coded Credentials in RDPCore.dll (CWE-798)
• CVE-2023-39421 - Use of Hard-coded Credentials in RDPWin.dll CWE-798)
• CVE-2023-39422 - Use of Hard-coded Credentials in /irmdata/api/ endpoints (CWE-798)
• CVE-2023-39423 - Improper Neutralization of Special Elements used in an SQL Command in RDPData.dll (CWE-89)
• CVE-2023-39424 - Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) in RDPngFileUpload.dll (CWE-74)

Disclosure timeline

April-May, 2023 – Bitdefender identifies issues in multiple components of the IRMNg application during a malware infection investigation

• May 23, 2023 – Bitdefender makes a first contact attempt with the vulnerable vendor via email
• May 30, 2023 – Given that the previous attempt did not yield any result, Bitdefender makes a second attempt via email
• August 02, 2023 – Bitdefender allocates CVE numbers for the identified vulnerabilities
• August 16, 2023 – Bitdefender continues to reach out to the vulnerable vendor through Twitter, Facebook. Our efforts go once again unacknowledged
• September 07, 2023 – This report becomes public as part of our responsible disclosure program

Responsible disclosure

As a CVE Numbering Authority, we understand the importance of vulnerability disclosure. In the past decade, we have sent (and received) numerous vulnerability notifications. This time, our efforts to reach out to the vulnerable vendor remained unanswered. Given the fact that cyber-criminals are actively using these vulnerabilities and that our investigation revealed the existence of several other victims, we decided to make this information public.

We urge all companies using vulnerable versions of the IRMNG engine to evaluate the impact of these vulnerabilities and take appropriate action (you can also read a deep-dive into the attack on our Business Insights blog).

Indicators of Compromise

An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the full research paper available below:

Download the whitepaper