The global and independent platform for the SAP community.

The Importance of the SAP Gateway for Security

As many readers will already be aware, securing the SAP gateway is crucial for the security of SAP systems. But what can happen if the gateway is configured incorrectly or insecurely?
Chrisitan Schuller, Claranet
November 22, 2023
avatar
This text has been automatically translated from German to English.

The following section uses insecure Reginfo and Secinfo ACL files to show which attacks on SAP systems are possible. This is not intended as a guide to attacking SAP systems. It merely draws attention to the importance of RFC gateway security for securing systems.

Attack on systems with an insecure Reginfo ACL file: Let's assume that our SAP Basis administrator has set the Reginfo ACL to be insecure. This can be done, for example, by one of the following configurations: gw/acl_mode = 0 and the Reginfo file does not exist; gw/sim_mode = 1 (this removes the implicit "Deny all" line).

Attacks from systems for which an Allow entry that is too open is entered in the Reginfo pose a risk. In this case, an attacker can register any programs with the gateway. He could choose the following configuration for an attack: ./program -a IGS. -g -x sapgw

RFC callback attack

IGS. is specified as the TP name. The attacker pretends to be an Internet Graphics Service (IGS). The IGS. program is called as soon as the IGS is used by a user. 

An attacker could exploit this behavior to carry out an RFC callback attack. If the registered server (and therefore the implemented function module) is called, a connection handle automatically exists. The attacker can use this connection handle to call any other modules in the Abap. In practice, an attacker would, for example, create a user and assign SAP_ALL (or comparable authorizations) to this user. This example thus exploits two vulnerabilities in an SAP system, both of which are frequently found in systems in practice. A well-configured Reginfo ACL would prevent the attack in the same way as correctly configured RFC callback security.

Attack on systems with insecure Secinfo ACL: Attacks on a Secinfo ACL are even easier for an attacker to carry out if the configuration is insecure. The requirements for an attack are very similar to Reginfo. Profile parameters gw/acl_mode = 0 (with missing secinfo file), gw/sim_mode = 1 or an Allow entry that is too open for an attacker system can lead to an attack on the system being possible.

A proof of concept has already been created by Dmitry Chastuhin (https://github.com/chipik/SAP_GW_RCE_exploit). Any operating system command can be executed on the attacked system. However, an attacker can also achieve the same with a normal SAP system (as an attacker system). A type T RFC connection to the attacked system is set up with the sapxpg program. Next, an external OS command is created in SM49. This command is executed with the RFC-Type-T connection on the system to be attacked. As these settings or commands take place on the attacker system, authorization checks are irrelevant. In addition to good network segmentation, only a good Secinfo configuration offers protection.

Correct configuration of Reginfo and Secinfo: The question is how Reginfo and Secinfo can be set up securely without restricting the SAP system. SAP Note 1408081 provides a good basic framework for this. These basic settings can then be expanded through protocol analysis, if necessary in combination with the simulation mode. This ensures that Reginfo and Secinfo are configured correctly with relative ease.

claranet.de

avatar
Chrisitan Schuller, Claranet


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.