Skip links

Security check when you execute external commands, SAP security note 686765

Description

You want to increase the security level of your SAP system with regard to the execution of external commands.
The following situation applies if you do not use the solution described below:
The assumption is that a user has the following authorizations in an SAP system ABC:
– create external commands
– execute external commands
– create RFC destinations

In this case, this user can also execute external commands on other hosts:

a) that can be accessed from the system via TCP/IP, and
b) where an SAP RFC server program SAPXPG is located, and
c) where an SAP application server is running OR where an <ABC>adm operating system user exists.

This is even the case if the user has no authorizations for this host.
With the solution described below, you can specify a list of operating system commands that cannot be executed by SAPXPG.

Available fix and Supported packages

  • SAP_BASIS | 46B | 46D
  • SAP_BASIS | 610 | 640

Affected component

    BC-CCM-BTC-EXT
    External and Logical Commands

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/686765

TAGS

#External-program
#sm59

Udemy SAP Security Course.

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. This course will help you master SAP security fundamentals, from securing SAP environments to managing user access and addressing vulnerabilities. It is ideal for IT professionals and SAP administrators, providing practical skills to safeguard critical business assets. Whether you’re a beginner or an expert looking to deepen your SAP security knowledge, this course is perfect for you.

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.