SAP CUA Security

Dmitry GutskoBusiness System Security Assessment Group

Positive Technologies

What is SAP CUA?

SAP HCM

SAP CRM

SAP ECC

SAP BW

SAP FI

SAP CUA

What is SAP CUA?

SAP CUA Central System

Child System

Child System

Child System

SAP CUA Security Risks― Creating/Assigning unauthorized users to a child system.― Unauthorized high privilege assigning.― Unauthorized user unlocking.― Bypassing the SAP CUA policy in a child system.― Intercepting the SAP CUA data on the network.

0. Protect SAP CUA central system

― Attackers will be able to create/assign users in any system by standard mechanisms of the SAP CUA central system to gain access to a target system.

― The security level of the SAP CUA central system shouldn’t be lower than the level of the most protected system of the CUA model.

1. Enable SNC encryption

Attackers can intercept:

An account of SAP CUA child systems

An account of the SAP CUA central system

Transferred accounts of a child system

1. Enable SNC encryption

UserID

Encrypted password

XORedpassword

Password

Intercepted data:

1. Enable SNC encryptionIntercepted data:

2. Use trusted connections― Accounts of child

systems aren’t specified in the SAP CUA central system.

― Attackers can’t intercept them.

― If the SAP CUA central system is compromised, attackers can’t gain access to them.

3. Configure S_RFCACL, S_RFC and S_ICF authorization objects

Authorization object Client/Server Responsible for

S_RFCACL Server ACL for trusted connections.Users able to login to a child system.Privileges granted to a user.

S_RFC Server Possibility of RFC Functional Modules execution.

S_ICF Client Possibility of RFC connections use.

― Entries in the fields RFC_SYSID, RFC_CLIENT or RFC_USER of S_RFCACL define from which systems, clients, or for which user IDs logons to the target system are accepted. If you enter the full authorization (*) in one or more of these three fields, you allow the logon from any system, client, or any user, and as a result, you may produce significant security risks.

4. Segment the network

― Protection against network attacks.― Users and SAP servers should be in different network

segments separated by firewall.

5. Secure Gateway in child systems and the central system

― Configure ACL for SAP Gateway (gw/acl_file ):

― Activate Gateway Logging (gw/logging).― Activate Security Audit (SM19).― Etc.…

6. Assign least privileges to CUA users

― Client side (SAP CUA child system):• SAP_BC_USR_CUA_CLIENT• SAP_BC_USR_CUA_SETUP_CLIENT

― Server side (SAP CUA central system):• SAP_BC_USR_CUA_CENTRAL• SAP_BC_USR_CUA_CENTRAL_BDIST• SAP_BC_USR_CUA_SETUP_CENTRAL

Do not assign the SAP_ALL profile to RFC users. Please!!! !

7. Delete SETUP roles from CUA users in the central system

SAP CUA Central System

Child System

Child System

Child System

Child System

Attacker

Child System

Child System

7. Delete SETUP roles from CUA users in the central system

Target of attack

7. Delete SETUP roles from CUA users in the central system

― Attackers can reassign a system:• FM BAPI_USER_LOCPROFILES_ASSIGN

― Attackers can assign new profiles/roles in other child systems:• FM BAPI_USER_LOCACTGROUPS_ASSIGN• FM BAPI_USER_LOCPROFILES_ASSIGN

8. Delete SETUP roles from CUA users in child systems― Attackers can get a user list:

• FM BAPI_USER_GETLIST ― Attackers can create users:

• FM BAPU_USER_CREATE1 ― Attackers can assign profiles/roles to a user:

• FM BAPI_USER_PROFILES_ASSIGN― Attackers can lock/unlock users:

• FM BAPI_USER_LOCK/BAPI_USER_UNLOCK

9. Apply Note 1997455 or modify SAP_BC_USR_CUA_CENTRAL role― Attackers can read all the tables of the central system:

• USR02, USH02, USZBVSYS, …

― Apply note 1997455 or delete the authorization object S_TABU_DIS from the SAP_BC_USR_CUA_CENTRAL role.

10. Do not combine SAP systems of various security classifications in a single CUA model

― Attackers can hack another child system of the CUA model and use one of the techniques already discussed.

― Do not combine test, education and production systems in a single CUA model.

11. Protect table USRFLDSEL― The USRFLDSEL table stores the CUA policy data of the

central system.

― Attackers can bypass the CUA policy of the central system.― Control access to the transactions SE16n, ST04 and

SM49/SM69.― Activate USRFLDSEL table logging.

12. Do not forget about other clients― The CUA model includes some clients of the SAP system.― RFC connections are cross-client.― Attackers can bypass CLIENT security:

• Creating ABAP code.• Using RFC connections between clients.• Using transaction ST04.• Using transaction SM49/SM69.

13. Control access to critical transactions/tables of child systems

― The tables RSECTAB, RFCDES store the RFC accounts.― The tables RFCDES, USRBVSYS store the CUA model.

― Transactions SE37, SCUM, SCUA, …• Creating a user via the transaction SE37 in a child system

14. Use system-type user― Attackers can’t use this type of accounts to dialog login to

the SAP system.― Do not forget to change the password.

Thank you for attention!

dgutsko@ptsecurity.com

Additional informationTransactions: SCUA – Display System Landscape (CUA model)SCUL – Log Display for Central User AdministrationSCUM – User Distribution Field SelectionSCUG – Central User Administration Structure DisplaySE37 - ABAP Function Modules

Notes:492589 – Minimum authorizations for communication users333441 - CUA: Tips for problem analysis376856 - Password synchronization - Single Sign-On/CUA1997455 - Potential information disclosure in BC-SEC-USR-ADM159885 - CUA: Collective SAP Note for corrections up until March 2003128447 - Trusted/trusting systems1416085 - PFCG: Authorization maintenance for object S_RFCACL

Tables:USZBVSYS - CUA: Assignment of Systems to UsersUSRFLDSEL - CUA: Field Attributes