Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Security check when you execute external commands, SAP security note 686765

Description

You want to increase the security level of your SAP system with regard to the execution of external commands.
The following situation applies if you do not use the solution described below:
The assumption is that a user has the following authorizations in an SAP system ABC:
– create external commands
– execute external commands
– create RFC destinations

In this case, this user can also execute external commands on other hosts:

a) that can be accessed from the system via TCP/IP, and
b) where an SAP RFC server program SAPXPG is located, and
c) where an SAP application server is running OR where an <ABC>adm operating system user exists.

This is even the case if the user has no authorizations for this host.
With the solution described below, you can specify a list of operating system commands that cannot be executed by SAPXPG.

Available fix and Supported packages

  • SAP_BASIS | 46B | 46D
  • SAP_BASIS | 610 | 640

Affected component

    BC-CCM-BTC-EXT
    External and Logical Commands

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/686765

TAGS

#External-program
#sm59

More to explorer

RedRays at Black Hat MEA 2023

🔒 “FROM ON-PREMISES TO CLOUD: A COMPREHENSIVE ANALYSIS OF SAP SECURITY ISSUES” 🔒 📅 17:40, Wed, Nov 15📍 Briefing Stage 4 At

SAP Security For All

RedRays Security Platform for Penetration testers and Bug hunters

The product package is specifically created for cyber security experts who have encountered SAP while participating in bug bounty programs.

RedRays Security Platform for SAP Consultants

The product package is designed for SAP consultants conducting security assessments of SAP ERP systems. We provide essential tools and resources to help professionals in this field conduct their work effectively.

RedRays Security Platform for Enterprises

The product package is specifically optimized to cater to the needs of both small/medium and large companies who are seeking to streamline the process of organizing a comprehensive security system for ERP systems.