The global and independent platform for the SAP community.

The Importance of the SAP Gateway for Security

As many readers will already be aware, securing the SAP gateway is crucial for the security of SAP systems. But what can happen if the gateway is configured incorrectly or insecurely?
Chrisitan Schuller, Claranet
November 22, 2023
Content:
avatar
This text has been automatically translated from German to English.

The following section uses insecure Reginfo and Secinfo ACL files to show which attacks on SAP systems are possible. This is not intended as a guide to attacking SAP systems. It merely draws attention to the importance of RFC gateway security for securing systems.

Attack on systems with an insecure Reginfo ACL file: Let's assume that our SAP Basis administrator has set the Reginfo ACL to be insecure. This can be done, for example, by one of the following configurations: gw/acl_mode = 0 and the Reginfo file does not exist; gw/sim_mode = 1 (this removes the implicit "Deny all" line).

Attacks from systems for which an Allow entry that is too open is entered in the Reginfo pose a risk. In this case, an attacker can register any programs with the gateway. He could choose the following configuration for an attack: ./program -a IGS. -g -x sapgw

RFC callback attack

IGS. is specified as the TP name. The attacker pretends to be an Internet Graphics Service (IGS). The IGS. program is called as soon as the IGS is used by a user. 

An attacker could exploit this behavior to carry out an RFC callback attack. If the registered server (and therefore the implemented function module) is called, a connection handle automatically exists. The attacker can use this connection handle to call any other modules in the Abap. In practice, an attacker would, for example, create a user and assign SAP_ALL (or comparable authorizations) to this user. This example thus exploits two vulnerabilities in an SAP system, both of which are frequently found in systems in practice. A well-configured Reginfo ACL would prevent the attack in the same way as correctly configured RFC callback security.

Attack on systems with insecure Secinfo ACL: Attacks on a Secinfo ACL are even easier for an attacker to carry out if the configuration is insecure. The requirements for an attack are very similar to Reginfo. Profile parameters gw/acl_mode = 0 (with missing secinfo file), gw/sim_mode = 1 or an Allow entry that is too open for an attacker system can lead to an attack on the system being possible.

A proof of concept has already been created by Dmitry Chastuhin (https://github.com/chipik/SAP_GW_RCE_exploit). Any operating system command can be executed on the attacked system. However, an attacker can also achieve the same with a normal SAP system (as an attacker system). A type T RFC connection to the attacked system is set up with the sapxpg program. Next, an external OS command is created in SM49. This command is executed with the RFC-Type-T connection on the system to be attacked. As these settings or commands take place on the attacker system, authorization checks are irrelevant. In addition to good network segmentation, only a good Secinfo configuration offers protection.

Correct configuration of Reginfo and Secinfo: The question is how Reginfo and Secinfo can be set up securely without restricting the SAP system. SAP Note 1408081 provides a good basic framework for this. These basic settings can then be expanded through protocol analysis, if necessary in combination with the simulation mode. This ensures that Reginfo and Secinfo are configured correctly with relative ease.

claranet.de

avatar
Chrisitan Schuller, Claranet


Write a comment

Work on SAP Basis is crucial for successful S/4 conversion. This gives the so-called Competence Center strategic importance among SAP's existing customers. Regardless of the operating model of an S/4 Hana, topics such as automation, monitoring, security, application lifecycle management, and data management are the basis for the operative S/4 operation. For the second time already, E3 Magazine is hosting a summit in Salzburg for the SAP community to get comprehensive information on all aspects of S/4 Hana groundwork. With an exhibition, expert presentations, and plenty to talk about, we again expect numerous existing customers, partners, and experts in Salzburg. E3 Magazine invites you to Salzburg for learning and exchange of ideas on June 5 and 6, 2024.

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Tickets

Early Bird Ticket - Available until 29.03.2024
EUR 440 excl. VAT
Regular ticket
EUR 590 excl. VAT

Secure your Early Bird ticket now!

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.