Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

GW Changes to the ACL list of the gateway (secinfo), SAP security note 614971

Description

In the secinfo file, you can define which external programs may be started or which external server programs may be registered on the gateway for up to and including Kernel Release 46D.

As of Release 6.40, the registration of external server programs is to be controlled using a separate file (reginfo). See Note 1069911 for more information.

The file name is defined by the parameter gw/reg_info. The default value for the path of the file is:
/usr/sap/<SID>/<INSTANCE>/data/secinfo

If the file does not exist, the system starts all external programs.

However, if the file exists but is empty, or if it does not contain valid lines, you must not start any external programs.

If you want to start an external program, the system searches the file for a valid entry. If it cannot find a valid entry, it refuses to start the external program and issues the following error message:

ERROR   user <usr> is not authorized to start TP <program name> on host
        <host>
RC      676 (GW_SECURITY_ERROR)

    1. In this case, all programs must be listed separately with the relevant program ID (TP). If the program ID is generated dynamically (for example, for the BeX Analyzer), you can use wildcards (as of a certain patch level, see TP syntax below).
    2. The host name (HOST ) and the host name of the user (USER HOST) must be specified separately. If there are many different hosts, this is very difficult.
    3. In the exceptional case that an external program wants to start another external program and both communications run on the same host, you must enter “local” as the USER-HOST, otherwise a rejection occurs.

Available fix and Supported packages

  • SAP_BASIS | 46B | 46D
  • SAP_BASIS | 620 | 640
  • SAP KERNEL 4.6D_EX2 32-BIT | SP2381 | 002381
  • SAP KERNEL 4.6D_EX2 64-BIT | SP2381 | 002381
  • SAP KERNEL 4.6D_EXT 32-BIT | SP2381 | 002381
  • SAP KERNEL 4.6D_EXT 64-BIT | SP2381 | 002381
  • SAP KERNEL 6.40 32-BIT | SP224 | 000224
  • SAP KERNEL 6.40 32-BIT UNICODE | SP224 | 000224
  • SAP KERNEL 7.00 32-BIT | SP150 | 000150
  • SAP KERNEL 7.00 32-BIT UNICODE | SP150 | 000150
  • SAP KERNEL 7.00 64-BIT | SP150 | 000150
  • SAP KERNEL 7.00 64-BIT UNICODE | SP150 | 000150

Affected component

    BC-CST-GW
    Gateway/CPIC

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/614971

TAGS

#secinfogw/sec_infoACL
#access-control-listGatewayBeX-Analyzer676-GW_SECURITY_ERROR

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.