Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Update 1 to Security Note 1686632, SAP security note 2102941

Description

This is an update to SAP Security Note 1686632, since the SAP Note in its original version was not clear for releases 620 and 640 as well as for releases from 700 onwards in conjunction with the kernel versions 720 and 721 available.

When you use a synchronous RFC in ABAP, you can, from the context of the remote (called) function module, use the RFC destination “BACK” to execute remote-enabled modules in the context of the RFC caller if the RFC caller has the necessary RFC authorizations and the callback is not prohibited by the previous call of the function module RFC_CALLBACK_REJECTED (see SAP Note 1515925).

Available fix and Supported packages

  • KRNL32NUC | 6.40 | 6.40EX2
  • KRNL32NUC | 7.20 | 7.20
  • KRNL32NUC | 7.20EXT | 7.20EXT
  • KRNL32NUC | 7.21 | 7.21
  • KRNL32NUC | 7.21EXT | 7.21EXT
  • KRNL32UC | 6.40 | 6.40EX2
  • KRNL32UC | 7.20 | 7.20
  • KRNL32UC | 7.20EXT | 7.20EXT
  • KRNL32UC | 7.21 | 7.21
  • KRNL32UC | 7.21EXT | 7.21EXT
  • KRNL64NUC | 6.40 | 6.40EX2
  • KRNL64NUC | 7.20 | 7.20
  • KRNL64NUC | 7.20EXT | 7.20EXT
  • KRNL64NUC | 7.21 | 7.21
  • KRNL64NUC | 7.21EXT | 7.21EXT
  • KRNL64NUC | 7.38 | 7.38
  • KRNL64NUC | 7.40 | 7.40
  • KRNL64NUC | 7.41 | 7.41
  • KRNL64NUC | 7.42 | 7.42
  • KRNL64UC | 6.40 | 6.40EX2

Affected component

    BC-MID-RFC
    RFC

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2102941

TAGS

#Callback
#synchronous-RFC
#RFC_CALLBACK_REJECTED
#rfc/callback_security_method

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.