Skip links
RedRays - Your SAP Security Solution
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Security check when you execute external commands, SAP security note 686765

Description

You want to increase the security level of your SAP system with regard to the execution of external commands.
The following situation applies if you do not use the solution described below:
The assumption is that a user has the following authorizations in an SAP system ABC:
– create external commands
– execute external commands
– create RFC destinations

In this case, this user can also execute external commands on other hosts:

a) that can be accessed from the system via TCP/IP, and
b) where an SAP RFC server program SAPXPG is located, and
c) where an SAP application server is running OR where an <ABC>adm operating system user exists.

This is even the case if the user has no authorizations for this host.
With the solution described below, you can specify a list of operating system commands that cannot be executed by SAPXPG.

Available fix and Supported packages

  • SAP_BASIS | 46B | 46D
  • SAP_BASIS | 610 | 640

Affected component

    BC-CCM-BTC-EXT
    External and Logical Commands

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/686765

TAGS

#External-program
#sm59

More to explorer

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,