Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Security check when you execute external commands, SAP security note 686765


You want to increase the security level of your SAP system with regard to the execution of external commands.
The following situation applies if you do not use the solution described below:
The assumption is that a user has the following authorizations in an SAP system ABC:
– create external commands
– execute external commands
– create RFC destinations

In this case, this user can also execute external commands on other hosts:

a) that can be accessed from the system via TCP/IP, and
b) where an SAP RFC server program SAPXPG is located, and
c) where an SAP application server is running OR where an <ABC>adm operating system user exists.

This is even the case if the user has no authorizations for this host.
With the solution described below, you can specify a list of operating system commands that cannot be executed by SAPXPG.

Available fix and Supported packages

  • SAP_BASIS | 46B | 46D
  • SAP_BASIS | 610 | 640

Affected component

    External and Logical Commands


Score: 0


Exploit is not available.
For detailed information please contact the mail [email protected].




More to explorer