Search This Blog

Tuesday, August 23, 2011

SAP Note 863362 - Security checks in the SAP Early Watch Alert


Symptom
The SAP EarlyWatch Alert report contains selected checks about "Security". These checks are described in this note.


Other terms
EarlyWatch Alert, EWA, security, RSECNOTE


Reason and Prerequisites
The checks were first delivered with the SAP Solution Manager Plug-In ST-SER 620_2005_1 and they have been revised several times since then.


Solution
As of Support Package 3 of the SAP Solution Manager Plug-Ins ST-SER 701_2008_2, the "Security" unit in the SAP EarlyWatch Alert report refers to the following structure:
    1. "Security-related SAP Notes"
    2. "Users with Critical Authorization"
      a) "Users Authorized to Display all Tables"
      b) "Users Authorized to start all Reports"
      c) "Users Authorized to Debug / Replace"
      d) "Users Authorized to Display Other Users Spool Request"
      e) "Users Authorized to Administer RFC Connections"
      f) "Users Authorized to Reset/Change User Passwords"
    3. "Default Passwords of Standard Users"


The individual checks are described here:

  • "Security-related SAP Notes"
    • In this section, a check will determine whether or not selected and required security-relevant notes or HotNews have been implemented in the system.
    • A note or a HotNews is no longer required if your system release or Support Package level already contains the correction.
    • If the check determines that required security-relevant notes or HotNews have not been implemented, you will be informed of this by an overall status in the SAP EarlyWatch Alert report. The unit receives a "yellow" rating if at least one security-relevant SAP note needs to be implemented. The rating is "red" if at least one security-relevant HotNews needs to be implemented. In both cases, a relevant alarm message is entered in unit 1. "Service Summary" in the SAP EarlyWatch Alert report.
    • An administrator uses the tool RSECNOTE to create the detailed evaluation of the required security-relevant notes or Hot News in the system to be analyzed.
      You can use this tool to manually accept recommendations for notes or HotNews. The number of recommendations accepted manually is reported in the SAP EarlyWatch Alert report.
      If the tool RSECNOTE and the check routines contained inside it do not yet exist in the system to be analyzed, the SAP EarlyWatch Alert report informs you of this. The correction instructions that you can use to create this tool and the documentation for the tool are contained in Note 888889.
    • If the tool RSECNOTE and the check routines contained inside it do not yet exist in the system to be analyzed, only Notes 1167258, 1168813, 1298160 and 1304803 are checked to see whether they are required and need to be implemented.
    • The quantity of checked notes or HotNews is managed online by SAP. During a check, a system loads the list automatically using the service connection to SAPNet once a day. You can also use the tool RSECNOTE to update the list manually.
    • You can use the Note Assistant (transaction SNOTE) to implement the correction instructions. You can find additional information about the Note Assistant on the SAP Service Marketplace under the alias /NOTE-ASSISTENT (https://service.sap.com/note-assistant).
    • There is an overview of security-relevant notes or HotNews on the SAP Service Marketplace under the alias /SECURITYNOTES (https://service.sap.com/securitynotes). You can find out which security-relevant notes and HotNews are checked for this EarlyWatch Alert section from the tables on the Sap Service Marketplace and the list of related notes for Note 888889.
  • "Users with Critical Authorization"
    • The checks in this section analyze how extensive critical authorizations are assigned in the system. Here, examples of critical authorizations from the areas "System administration", "User management" and "Access to sensitive data" are checked.
    • However, a complete security analysis of the system is not carried out. If you want to carry out an extensive and configurable analysis, carry out the security optimization self-service. You can find more information about this on the SAP Service Marketplace under the alias /SOS (https://service.sap.com/sos).
    • The check is considered critical if several users in one client have the respective checked authorization.
    • Critical applies if:
                    More than 75 users of a client have the same authorization.
                    More than 10% of the users (but at least 10) of a client have the checked authorization.
    • If a maximum of 10 users have the authorization, the check is rated as uncritical.
    • If, in at least one client (except 000 and 066), the check is estimated as critical, the check receives a "yellow" rating. A "red" rating is usually not assigned.
    • Setting up the report for the checks:
                    The first section describes the estimation using possible effects and dangers of the critical authorization analyzed.
                    A table consisting of the columns "Client", "No. of Users Having This Authorization", "No. of Valid Users" and "Rating" displays the determined results.
                    The "Client" column specifies the clients to be checked. The "No. of Valid Users" column displays how many valid users have the authorization to be checked. The "No. of Valid Users" column displays all valid users of the checked clients. Valid users are those that are neither locked nor invalid due to a time limit.
  • "Default Passwords of Standard Users"
    • A check determines whether the standard passwords of the standard users SAP*, DDIC, SAPCPIC and EARLYWATCH have been changed in all clients and whether the user SAP* has not been created in one of the clients.
    • You can use the report RSUSR003 to display the results of this check in detail.
    • You can find additional information in the unit "Protecting Standard Users" (http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm) in the "SAP NetWeaver Application Server Security Guide".
    • The check is considered critical and receives a "yellow" rating if, for at least one standard user, the standard password has not been changed or the user SAP* no longer exists in a client.

The highest valuation of one of the checks mentioned previously determines the overall valuation of the unit "Security" in the SAP EarlyWatch Alert report.




Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
ST-SER
620
620_2005_1
620_2006_2
 
ST-SER
700
700_2005_2
700_2008_1
X
ST-SER
701
701_2008_2
701_2008_2
 

Correction delivered in Support Package
Support
Packages
Release
Package
Name
ST-SER
620_2005_1

SAP Note 957038 - Security gap in cross-site scripting

Symptom

When you call SAP E-Recruiting, one or several URL parameters are specified. If you use the URL parameters and change a parameter in a particular way, any JavaScript code can be executed.

For this purpose, proceed as follows:
Attach the character string "%27)%3balert(%27XSS%21%27)%3b%2f%2f" (without the quotation marks) to an URL parameter (for example rcfSpId=9000). When you start the application with this URL, you see that the JavaScript code was executed. A JavaScript Alert with the text "XSS!" is issued.



Other terms
XSS,
CL_HRRCF_BSP_EXT_FRAMEWORK,
<hrrcf_bsp_ext:frameWork>,
security gap,
JavaScript



Reason and Prerequisites
This problem is due to a program error.


Solution
Import the relevant Support Package or carry out the corrections in accordance with the correction instructions.



Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
ERECRUIT
300
300
300
 
ERECRUIT
600
600
600
 


Visit https://service.sap.com/sap/support/notes/957038 for Correction delivered in Support Package and Corrections Instructions

SAP Note 1085326 - Security Note: Check for 'System -> Status' (SE80)

Symptom


You are logged on to an SAP system using SAP GUI. You use

    1. the menu:  System -> Status...
    2. in the F1 help (in the modal window):
      a) the F9-button or
      b) 'Technical Information' (or 'Technical info') from context menu or
      c) 'Technical Information' (or 'Technical info') button on the F1 Help screen
    3. the button 'Technical Information' in the Performance Assistant

to display technical information about the system or the current transaction. By double-clicking, you can display the selected Workbench object, although the authorization for the ABAP Workbench (transaction SE80) was not assigned to your user profile.



Other terms

S_DEVELOP, 16, SE80, RDOCFINDER, search report, SE61, worklist, RS_ACCESS_PERMISSION, AUTHORITY_CHECK_TCODE, RS_TOOL_ACCESS

Reason and Prerequisites

The system does not check transaction code SE80 (authorization object S_TCODE).

Solution

Use the Note Assistant to implement the corrections or import the relevant Support Package.

After you have implemented the corrections, a user that is not authorized to use transaction SE80 can no longer navigate from the 'Technical info'.

To check the changed function, create a user without authorization for transaction SE80 in the authorization object S_TCODE and perform the steps described under "Symptom".




Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_BASIS
46
46C
46C
 
SAP_BASIS
60
620
640
 
SAP_BASIS
70
700
700
 
SAP_BASIS
71
710
710
 


Visit https://service.sap.com/sap/support/notes/1085326 for Correction delivered in Support Package and Corrections Instructions

SAP Note 1115699 - CO-OM Tools: SE16N: Adapting to SE16

Symptom

You execute a function module directly from SE37. The system does not check the same authorizations as if the module is started from a certain transaction.
In the menu of transaction SE16N, there are branches that are not required in this environment.
There is another transaction 'N', which branches to SE16N.



Other terms
Transactions: SE37,
SE16N_START, RK_SE16N, SE16N, N



Reason and Prerequisites
Function modules have been developed to perform certain processing steps within a transaction. The authorization check is then generally performed by the calling transaction. All modules that are released (that is, which can also be called by customer programs) are exceptions.
In most cases, an authorization check within the module would prevent the correct processing of the transaction. (For example, in cases where a transaction uses techniques of which the user is not aware (for example, generating codes)).



Solution
    1. Implement the program changes described below.
              The modules of SE16N then check the identical authorizations as if directly in transaction SE16N.
              The program changes are delivered with the Support Packages assigned to this note.
              Note that you must perform the manual tasks up to ERP Release 603. These are not delivered in advance by Support Package.
    2. Delete the transaction code 'N' in transaction SE93.
    3. Delete the menu code in the status '0100' of the function group 'SE16N'.
              Goto -> RKCOWUSL
              Goto -> RKCOVIEW
              Goto -> TSCUST
              Goto -> TSRUN
              To do this, proceed as follows:
                       Call transaction SE80 for the function group 'SE16N'.
                       Expand 'GUI Status' in the tree and double-click status '0100'.
                       Switch to change mode.
                       Choose '+' beside 'Menu Bar'.
                       Double-click 'Goto' and position the cursor on the menu codes mentioned above, one after the other.
                       Choose 'Delete entry (Ctrl+F9)' for each line.
                       Activate the status.


 Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_APPL
470
470
470
 
SAP_APPL
500
500
500
 
SAP_APPL
600
600
600
 
SAP_APPL
602
602
602
 
SAP_APPL
603
603
603
 

SAP Note 1120760 - Security note: Missing authorization check for Web services

Symptom

For Web services (service interfaces), the authorization check against the authorization object S_SERVICE is not executed for the provider in the security log (part of the SOAP runtime).


Other terms
SOAP, Simple Object Access Protocol, security log, WSSEC, S_SERVICE, RBAM, AUTHORITY-CHECK, Web service


Reason and Prerequisites
Reason:
This problem is caused by a programming error in the method CL_WS_SECURITY_PROTOCOL->IF_SOAP_SECURITY_HELPER~CHECK_AFTER_DESERIALIZATION.

Prerequisite for the error:

  • The system is not an SAP Business ByDesign system or
  • the Web service to be checked was generated using the inside-out approach (not modelled using the ESR outside-in approach) or
  • the Web service to be checked is NWA-SI (= http://sap.com/xi/BASIS MBeanAccessInbound).

Solution
Implement the correction instructions or import the Support Package.



Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_BASIS
71
710
710
 

Correction delivered in Support Package
Support
Packages
Release
Package
Name
SAP_BASIS
710

Corrections Instructions
Correction
Instruction
Valid
from
Valid
to
Software
Component
Last
Modifcation
710
710
SAP_BASIS
02.01.2008  13:59:32

SAP Note 1133739 - Security note: Security gap in Data Browser (SE16)


Symptom
Transaction SE16 is a universally applicable function to display any database contents in ABAP systems.
An authorization check against a table authorization group protects the access to this data using this function (authorization object S_TABU_DIS).

If you use transaction SE16 in a certain way, the system may fail to perform this authorization check.  This may allow unauthorized access to any sensitive or critical data.

The correction (Support Package or correction instructions) solves this problem.

Risk mitigation before the correction is effective:  Limit the access to transaction SE16 (authorization object S_TCODE).


We strongly recommend that customers limit the access to SE16 and implement the correction instruction as soon as possible.



Other terms
Data Browser, SE16


Solution
Use transaction SNOTE to implement the corrections.



Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_APPL
30
31I
31I
 
SAP_APPL
40
40B
40B
 
SAP_APPL
45
45B
45B
 
SAP_APPL
46
46B
46B
 
SAP_BASIS
46
46B
46D
 
SAP_BASIS
60
620
640
 
SAP_BASIS
70
700
700
 
SAP_BASIS
71
710
711
 


Visit https://service.sap.com/sap/support/notes/1133739 for Correction delivered in Support Package and Corrections Instructions

SAP Note 1136770 - Security note: ICF system login


Symptom
There is a security problem during login in relation to the client.


Other terms
Security, login


Reason and Prerequisites
This problem is caused by a program error.


Solution
Implement the attached correction instructions to correct the error.

We recommend urgently that all customers implement the correction.




Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_BASIS
60
640
640
 
SAP_BASIS
70
700
701
 
SAP_BASIS
71
710
711
 


Visit https://service.sap.com/sap/support/notes/1136770 for Correction delivered in Support Package and Corrections Instructions