Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1391655-3)
Описание
Prerequisite:
Note 1298433 becomes pre-requisite note which ensures that the SAP Gateway Access Control Lists cannot be bypassed.
Note 1298433 becomes pre-requisite note which ensures that the SAP Gateway Access Control Lists cannot be bypassed.
Как исправить
Implementation of access control list in the SAP gateway which enables secure system that prevents unauthorized access.
Following are the scenarios for the usage of SAPFTP, depending upon the destination settings maintained using the transaction SM59 :
Scenario A. External Program started on same application server.
Scenario B. External Program started on Front End Machine.
Scenario C. External Program started on Explicit Host where call is initiated from source application server "src_as" (local system) to start SAPHTTP on target application server "trgt_as".
Scenario D. When external program SAPFTP is not used.
Proceed with the below steps to maintain the security settings :
1. Maintain a "secinfo" file in the suitable path of application server (default path: /usr/sap/<SID>/data/secinfo). Maintain the suitable entries in this file as follows :
For both the scenarios A and B, the following settings need to be done depending upon the "user":
i. Security settings based on user
USER=<user name>, USER-HOST=local, HOST=local, TP=sapftp;
Which will allow the user <user name> to access the SAPFTP program within the same application server or in front end machine.
For Scenario C, the following settings need to be done in both the application servers depending upon the "user" or "source of request":
i. Security settings based on user
Settings in Application server "src_as"
USER=<user name>, USER-HOST=local, HOST=<trgt_as>, TP=sapftp;
Settings in Application server "trgt_as"
USER=<user name>, USER-HOST=<src_as>, HOST=local, TP=sapftp;
This setting will allow the the user <user name> to access the SAPFTP of application server "trgt_as" from application server "src_as".
ii. Security settings based on source of request
Settings in Application server "src_as"
USER=*, USER-HOST=local, HOST=<trgt_as>, TP=sapftp;
Settings in Application server "trgt_as"
USER=*, USER-HOST=<src_as>, HOST=local, TP=sapftp;
Which will allow the access to SAPFTP program on the application server "trgt_as" only if the request is coming from the host application server "src_as".
For Scenario D, When external program SAPFTP is not used, the following setting needs to be maintained in the application server.
USER=*, USER-HOST=local, HOST=local, TP=sapftp;
This setting will allow the request only from the local application server and would block all the external requests thus preventing the unauthorized access to SAPFTP.
2. Using transaction RZ11, set the Profile parameter "gw/sec_info" pointing to the location of "secinfo" file maintained as above.
(default value: /usr/sap/<SID>/data/secinfo)
3. Activate the configuration file "secinfo" using transaction SMGW and navigating to Goto->Expert Functions->External Security->Read Again.
4. If necessary, maintain the gateway logging using transaction SMGW
and and navigating to Goto->Expert Functions->Logging. Save and activate these settings.
5. Repeat the above steps(1-4) on every application server instance of the R/3 system.
Important:
1. The settings maintained in secinfo file are case sensitive. Case of target program TP should be same as the setting maintained in SM59.
2. One entry should be maintained for every authorized user if the restrictions are based on user accessing the SAPFTP.
3. One entry should be maintained for every application server (src_as) which can access the SAPFTP on target application server (trgt_as), if the restrictions are based on source of request.
4. Security settings for SAPFTP becomes active only if the secinfo file exists with corresponding entries maintained for SAPFTP. Refer note 110612 for further details on settings of secinfo file.
Further Reference:
1. Making Security Settings for External Programs
http://help.sap.com/saphelp_nwpi71/helpdata/EN/48/b2096b7895307be10000000a42189b/frameset.htm
2. Authorizations for Starting External Programs
http://help.sap.com/saphelp_nw04/helpdata/en/5a/c03a069d3811d188a70000e83539c3/content.htm
Following are the scenarios for the usage of SAPFTP, depending upon the destination settings maintained using the transaction SM59 :
Scenario A. External Program started on same application server.
Scenario B. External Program started on Front End Machine.
Scenario C. External Program started on Explicit Host where call is initiated from source application server "src_as" (local system) to start SAPHTTP on target application server "trgt_as".
Scenario D. When external program SAPFTP is not used.
Proceed with the below steps to maintain the security settings :
1. Maintain a "secinfo" file in the suitable path of application server (default path: /usr/sap/<SID>/data/secinfo). Maintain the suitable entries in this file as follows :
For both the scenarios A and B, the following settings need to be done depending upon the "user":
i. Security settings based on user
USER=<user name>, USER-HOST=local, HOST=local, TP=sapftp;
Which will allow the user <user name> to access the SAPFTP program within the same application server or in front end machine.
For Scenario C, the following settings need to be done in both the application servers depending upon the "user" or "source of request":
i. Security settings based on user
Settings in Application server "src_as"
USER=<user name>, USER-HOST=local, HOST=<trgt_as>, TP=sapftp;
Settings in Application server "trgt_as"
USER=<user name>, USER-HOST=<src_as>, HOST=local, TP=sapftp;
This setting will allow the the user <user name> to access the SAPFTP of application server "trgt_as" from application server "src_as".
ii. Security settings based on source of request
Settings in Application server "src_as"
USER=*, USER-HOST=local, HOST=<trgt_as>, TP=sapftp;
Settings in Application server "trgt_as"
USER=*, USER-HOST=<src_as>, HOST=local, TP=sapftp;
Which will allow the access to SAPFTP program on the application server "trgt_as" only if the request is coming from the host application server "src_as".
For Scenario D, When external program SAPFTP is not used, the following setting needs to be maintained in the application server.
USER=*, USER-HOST=local, HOST=local, TP=sapftp;
This setting will allow the request only from the local application server and would block all the external requests thus preventing the unauthorized access to SAPFTP.
2. Using transaction RZ11, set the Profile parameter "gw/sec_info" pointing to the location of "secinfo" file maintained as above.
(default value: /usr/sap/<SID>/data/secinfo)
3. Activate the configuration file "secinfo" using transaction SMGW and navigating to Goto->Expert Functions->External Security->Read Again.
4. If necessary, maintain the gateway logging using transaction SMGW
and and navigating to Goto->Expert Functions->Logging. Save and activate these settings.
5. Repeat the above steps(1-4) on every application server instance of the R/3 system.
Important:
1. The settings maintained in secinfo file are case sensitive. Case of target program TP should be same as the setting maintained in SM59.
2. One entry should be maintained for every authorized user if the restrictions are based on user accessing the SAPFTP.
3. One entry should be maintained for every application server (src_as) which can access the SAPFTP on target application server (trgt_as), if the restrictions are based on source of request.
4. Security settings for SAPFTP becomes active only if the secinfo file exists with corresponding entries maintained for SAPFTP. Refer note 110612 for further details on settings of secinfo file.
Further Reference:
1. Making Security Settings for External Programs
http://help.sap.com/saphelp_nwpi71/helpdata/EN/48/b2096b7895307be10000000a42189b/frameset.htm
2. Authorizations for Starting External Programs
http://help.sap.com/saphelp_nw04/helpdata/en/5a/c03a069d3811d188a70000e83539c3/content.htm
Ссылки
