Markus Seibel
SAP SECURITY BEYOND AUTHORIZATIONS Vulnerability of SAP-Systems using the example of „Remote Function Calls“
www.opel.com
1. Introduction 2. Overview – the RFC architecture 3. ABAP RFC – Security considerations 1. 2. 3. 4.
The Object S_RFC Demo: „3 … 2 … 1 … SAP_ALL“ System configuration and administration Approach to restrict S_RFC
4. Gateway Security – often neglected 5. Summary – 10 rules for RFC security Markus Seibel
TABLE OF CONTENTS AGENDA. 2
Security beyond authorizations
INTRODUCTION
3
•
•
•
SAP systems are often part of heterogeneous system landscapes (many communications interfaces), often even connected to the internet Security in SAP systems must be considered across several layers (operating system, database, network, SAP application, ABAP/JAVA Stack) SAP systems are more and more targets of hacker attacks and industrial espionage
SAP note 1504652: Secure Configuration of Application Server ABAP SAP_Security_Recommendations_ABAP.pdf Security beyond authorizations
INTRODUCTION AGENDA. 4
BIZEC ( www.bizec.org ): • •
• •
•
SAP security is a complex discipline. It must be addressed holistically While functional security (e.g. segregation of duties) is highly important, there are many other threats, which imply higher levels of risk and are not usually properly assessed. Several of the presented threats can be exploited by attackers who do not even have a valid SAP user in the system! Because of the technical layer being the foundation of the business logic, a successful exploitation of several of these vulnerabilities would usually result in a complete compromise of the business information and processes (SAP_ALL privileges or equivalent). Potential weaknesses around SAP‘s RFC functionality are described in two items of the „TEC/11“ and implicitly also part of the „APP/11“ Security beyond authorizations
INTRODUCTION AGENDA. 5
Overview
THE RFC ARCHITECTURE
6
1. ABAP RFC - ABAP System is server - Check via S_RFC and login - Client can be SAP or non-SAP System
RFC Client (calling) / RFC Server (is being called)
2. Registered Server program - Registration at „gateway“ - communications interface to non-SAP systems - Defined target of type „T“ destinations in SM59 3. Start of an external program The „gateway“ starts a program on the operating system, in order to manage RFC calls Source: Secure Configuration of SAP NetWeaver® Application Server Using ABAP™ „Remote Function Calls“ in SAP
Version 1.2 - January 2012
THE RFC ARCHITECTURE AGENDA. 7
Security considerations
ABAP RFC
8
•
During an ABAP RFC call, a user authentication is taking place, afterwards the authorization for the function group of the called function module is checked via object S_RFC
•
Well, then all seems to be secure… doesn‘t it?
ABAP RFC – Security considerations
THE OBJECT S_RFC AGENDA. 9
In reality, S_RFC is often granted with „star“ value, even to end users! S_RFC protects the entire function group1, which may consist of several RFCenabled function modules (uncritical and critcal functions) During development of RFC-enabled modules2 the developer has mostly only his dedicated usage area in mind; the general external availability (and thus the higher security demands) are negelected: - No dedicated authority check - Insufficient validation of parameters - The calling program is being trusted blindly!
• • •
________________ 1 Since NetWeaver 7
EHP 2 you can restrict S_RFC also on function module layer 2 Some SAP security notes have also fixed vulnerabilities in SAP standard code
ABAP RFC – Security considerations
THE OBJECT S_RFC AGENDA. 10
RFC-enabled SAP function module without authority check, which directly executes native SQL commands on the SAP database (Vulnerability has been fixed by SAP on 14.12.2010 via SAP note 1456569) The RFC SDK (download available in SAPNet) is locally installed on the Windows PC A user with „regular“ access rights, without development access, but with wide open S_RFC – authorization logs on to the system Then, a „special“ SQL command is submitted via RFC SDK from the Windows-PC, which will result in SAP_ALL privileges
•
• • •
Demo "Ich hol' mir mal SAP_ALL"
Video provided by VirtualForge GmbH ABAP RFC – Security considerations
AGENDA. DEMO: „3 … 2 … 1 … SAP_ALL“ 11
The RFC architecture allows ABAP RFC calls from any system, this means also from non-SAP systems (assuming the right level of knowledge and software even from MS Office!) Thus, in the case of end users with unlimited S_RFC access, the risk of uncontrolled Excel based „do-it-yourself mass posting apps“ exists! [No „attack“, but potential incident]
•
•
Counter measures: - Object S_RFC access must be restricted - RFC users should in general only have limited access rights - ABAP development guidelines for RFC security - ABAP code reviews to avoid unsecure RFC function modules - System configuration and administration
•
ABAP RFC – Security considerations
THE OBJECT S_RFC AGENDA. 12
Profile parameter auth/rfc_authority_check Controls, whether and how object S_RFC is checked within „Remote Function Calls“ (see also SAP note 931252). The documentation seems to indicate stronger checks when setting values 2 or 9 (S_RFC is also checked in the „same user context“). Difference between values 1 and 2 (or 9): Remote function calls in the same user context1 (ABAP: call function ... destination 'NONE'). Value "1" - no check for S_RFC Value "2" - S_RFC is checked, too Consequence of setting value “2“ (not recommended!): The above ABAP statement is widely used in SAP, in order to execute functions in a separate memory area. Therefore you need to grant wide S_RFC access to end users for their daily work in the system, although they never perform any remote login! _____________________ 1 wrongly referred to as „single-sign-on“
ABAP RFC – Security considerations
SYSTEM AGENDA.CONFIGURATION 13
Internal RFC call (type = F): End user performs a posting, the system is automatically updating CO-PA data by calling a function module in a separate memory area via RFC destination ‘NONE‘. An authority check against S_RFC only takes place, if the RFC profile parameter is set to value „2“. In this case you would have to grant S_RFC to the user, although no remote logon is taking place!
External RFC call with Remote login (type = R): User MAESTRO has logged on as target user of an external RFC call. An authority check against S_RFC always takes place in this case. ABAP RFC – Security considerations
SYSTEM AGENDA.CONFIGURATION 14
DEV 01
QA 01
PRD 01
DEV 02
QA 02
PRD 01
Calls from systems with lower security classification with „stored“ logon data or „trusted“ to those with higher classification must be avoided! ABAP RFC – Security considerations
SYSTEM AGENDA.ADMINISTRATION 15
•
On development systems „nearly everybody“ is able to test function modules by making use of all existing RFC destinations (Use can be restricted by authority groups and object S_ICF)
• • •
• •
„Powerful“ target users make attacker‘s work even easier When using „Trusted RFC“, a system with higher security classification should in general never trust a system with lower classification If RFC calls to a system with higher classification cannot be avoided, significant attention must be paid to the access rights of the RFC target user Never combine independent RFC calls and / or destinations into the same RFC target user! A regular review of the RFC landscape including documentation of allowed exceptions (e.g. SAP TMS) should become mandatory
ABAP RFC – Security considerations
SYSTEM AGENDA.ADMINISTRATION 16
System : PR1/001 User : JOB_01 RFC-Dest. : RF2_200_CALL RFC-User : RFC_01 CALL FUNCTION ‘Z_RF2_EXEC‘ DESTINATION ‘RF2_200_CALL‘ EXPORTING …
System User
: RF2/200 : RFC_01
FUNCTION ‘Z_RF2_EXEC‘ CALL FUNCTION ‘Z_XYZ‘ DESTINATION ‘BACK‘ EXPORTING … ENDFUNCTION.
New RFC session with automatic login as user JOB_01 with existing rights of JOB_01 and call of funktion module Z_XYZ, S_RFC is checked accordingly
ABAP RFC – Security considerations
SPECIAL CASE: CALLBACK AGENDA. 17
System : PR1/001 User : JOB_01 RFC-Dest. : RF2_200_CALL RFC-User : RFC_01 CALL FUNCTION ‘Z_RF2_EXEC‘ DESTINATION ‘RF2_200_CALL‘ EXPORTING …
System User
: RF2/200 : RFC_01
FUNCTION ‘Z_RF2_EXEC‘ CALL FUNCTION ‘Z_XYZ‘ DESTINATION ‘BACK‘ EXPORTING … ENDFUNCTION.
New RFC session with automatic login as user JOB_01 With awith modification or enhancement of a function module, which is known existing rightsto ofbe called via RFC, a callback can be inserted: JOB_01 and call of funktion module Z_XYZ, S_RFC is CALL FUNCTION ‘___
