Freely subscribe to our NEWSLETTER

The main results discovered by ERPScan researchers were presented today at the biggest infosecurity conference in the world: BlackHat 2013, held in Las Vegas, USA. A talk by Dmitry Chastukhin, the director of SAP pentesing in ERPScan, called "With BIG Data comes BIG responsibility: practical exploiting of MDX injections", opened the technical section of the event.

Dmitry talked about the security of Business Intelligence systems which are used everywhere to process great amounts of non-structured data, also called Big Data. This study can be considered the first research in the world that is focused on the practical security of those systems, which store the most important data of various-scale companies.

The technologies of Big Data and Business Intelligence gain more and more popularity among large enterprises. In 2011, the analysts of Gartner distinguished Big Data as the second most important IT trend after virtualization. The amount of processed data in the world is predicted to grow by 48 times in 2020 in comparison to 2009.

At the same time, there is next to no information about the security of such systems. The experts of ERPScan, who have a tradition of conducting a thorough hacking analysis of any business-critical technology which has attracted little or no security research before (for example, SAP or Enterprise Service Bus), have studied the system and come to curious results.

Business Intelligence software is vital for every large company: it helps to store and process large amounts of critical data, plan corporate strategy, make important managerial decisions. Predictions and analytics require great amounts of data which is accumulated as a result of the company’s activities over a certain period (for example, several years). Processing large amounts of data is quite a specific task, so a new technology has emerged, called OLAP (Online Analytical Processing). In Business Intelligence systems, information is stored in multidimensional structures called infocubes, and data is retrieved out of them with the help of MDX language (MultiDimensional eXpressions). MDX syntax is very similar to SQL syntax, but it has a few peculiarities.

OLAP systems are used and developed in many spheres of modern world, from governmental systems for statistical data analysis to ERP systems and online advertising. This kind of solutions is used to analyze the performance of production/distribution enterprises, to expose the trends of online marketing, to analyze the characteristics and explicit/implicit feedback given by clients/customers in a certain public or private sector. Nowadays, almost every big company uses a business intelligence solution: Microsoft (Microsoft Analysis Services), Oracle (Essbase), SAP, MISConsulting SA (icCube OLAP Server), Panorama Software (Panorama).

It is not surprising that the OLAP server of a company is one of the tasty targets for attackers now. How can the programmers who develop this kind of products seem to forget about security?

The researchers of ERPScan – Dmitry Chastukhin and Alexander Bolshev – have found out that hackers can use search engines to easily find a hundred of OLAP servers of various companies which are available on the Internet. It is also notable that the parameters of MDX queries to OLAP servers are not filtered, which allows attackers to inject arbitrary operators into an existing MDX query and get access to almost all data from the OLAP server. Furthermore, the features of MDX allow creating user defined functions which the attacker can use to compromise the OLAP server and the corporate network overall.

The researchers have demonstrated attacks of remote code execution, file reading, cross-site scripting, information disclosure and XML external entities injection in such systems as SAP, icCube, Panorama, Microsoft AS, which occupy 35 % of BI market taken together. The process of code injection itself was described in detail: what can be injected, where and to which parts of the query, how to retrieve the structure of an infocube and the information which is stored there. The research has showed that most OLAP servers of various companies have a vulnerability which opens a loophole into corporate resources for experienced hackers.

If said hackers are successful in attacking Business Intelligence systems, they will kill two birds with one stone: get access to the critical corporate resources and compromise the critical data of the company right away. The results are reputation risks, losses of information and finances, threats to the further development of any organization. It is yet unclear who or what can prevent cybercriminals from conducting the described attacks.

The speakers themselves claim that they have only outlined the problem of OLAP server security. Undoubtedly, a lot more vulnerabilities can be found in the famous products of large vendors, but surely the situation will not change until it is spoken about. We hope that the time is now.