Google+ Facebook Twitter MySpace SC

Friday, September 7, 2012

Note 1520462 - Unauthorized call of operating system command


SymptomA malicious user can execute an operating system command with a parameter string by calling a certain ABAP function because the function does not perform any authorization checks.
In SAP terminology, these calls are referred to as 'external programs' or 'external commands' (See Note 677435 also.).

Other termsExternal programs, external commands
Reason and PrerequisitesThis is caused by a design error.
A malicious user who is very familiar with SAP source code may recognize this security hole.

SolutionImport the Support Package or implement the correction instructions.

For technical reasons, you cannot extend the start of the validity of the correction instructions to older Support Packages. However, the problem described in this note exists from the outset in all releases.

When you implement these corrections, the authorization check that must be performed for external commands and external programs is now also performed in the aforementioned function.
(For more information about the authorizations that are checked, see Notes 859104 and 854060.)
You will not notice any changes to the system behavior, apart from the following very unlikely exception:

Now, when you start an external program as a step of a background job, the system also checks whether the step user has system administrator authorization. Therefore, it checks the authorization S_RZL_ADM (field ACTVT = 01).
If the step user does not have this authorization, the job terminates with a relevant message in the job log and the external program is not executed.
For security reasons, the new authorization check is imperative.
The new check will probably have no effect for your existing batch jobs because the step user is always the job scheduler by default, and an external program can only be scheduled as a job step if the job scheduler has system administrator authorization.

However, if there are batch jobs in your system with the following properties:

- the job has an external program as the job step
- the step user of this step is not the job scheduler
- this step user has no system administrator authorization

these jobs will terminate after you implement these correction instructions.
To identify these jobs, the program Z_FIND_JOBS_WITH_EXTPROG is attached to this note.
Execute this program. If the program detects jobs with the properties mentioned above, change the step user for these jobs, or assign system administrator authorization to the step user.
After you have implemented the corrections, you can no longer create background jobs with the aforementioned properties.

Header Data

Release Status:Released for Customer
Released on:08.02.2011
Master Language:German
Category:Program error
Primary Component:BC-CCM-BTC-EXT External and Logical Commands


Useful links for SAP BW

No comments:

Post a Comment