Limited access for basic supervisors

DBACockpit and DB02 provide SAP Basis employees with two central transactions with which they can monitor, control, configure and manage the SAP databases.

Numerous basic functions can be executed via it, for example, checking system status and operating modes, table extensions or index maintenance and updating of tables.

In addition, both transactions contain the SQL Command Editor, which allows direct access to functional tables via so-called Open SQL commands.

This also allows users to access business-critical information, such as personnel and financial accounting data or even password hashes.

Security patches for SQL Command Editor urgently observed

SAP has delivered numerous security patches for the SQL Command Editor. These security patches must be observed and applied.

To regulate access to SAP data, SAP has also delivered a new authorization (S_TABU_SQL). This allows companies to define which employees are allowed to access which SAP data.

In addition, a tracking function has been implemented in the SQL Command Editor, which automatically logs every - authorized or unauthorized - command.

If this log data is also transferred to a security information and event management (SIEM) system, such as SAP Enterprise Threat Detection (ETD), and analyzed there, companies gain transparency into all accesses that have taken place.

Possible misuse can thus be counteracted promptly through monitoring and alerting. Although it is also necessary for data protection and compliance reasons to limit access for employees from SAP Basis Administration, the reality is often different.

For example, SAP security tests in companies of all sizes and industries repeatedly identify unpatched vulnerabilities in the SQL Command Editor function of DBACOCKPIT and DB02.

SAP Basis administrators thus have far-reaching possibilities to access sensitive SAP data.

Complete takeover conceivable

To illustrate the potential consequential damage, SAP penetration testing experts from Virtual Forge first read the USR02 table containing user passwords in a selected customer system.

After the testers managed to crack the encrypted passwords using a password cracker tool, they were able to log in to the SAP system without any problems and access the same functions for which the individual users were authorized.

The tests showed: Malicious attacks could have led to the complete compromise of an SAP system.

It is therefore imperative for every SAP user company to regularly import the Security Notes, especially for the SQL Command Editor.

In addition, upgrades should be carried out at least once a year and the latest support packages should be imported, with which SAP provides customers with bug fixes and software adjustments required by law.

External consulting recommended

However, since most companies do not have any designated SAP security experts, it makes sense to bring external service providers on board for the regular import of security patches.

It is essential that the consulting partner has the necessary security and SAP expertise, especially experience in implementing patches, understanding of different SAP releases and upgrade procedures, and knowledge of threat detection and prevention.

Equipped with these competencies, the SAP security provider can support the customer in assessing the criticality of the security patches. In addition, the customer receives advice on the selection of the necessary tests to prevent program and application errors from occurring when the patches are applied.

Since selective testing eliminates the need for time-consuming regression tests across the entire SAP system, the customer saves a great deal of time and money.

Use tools complementary

In the area of prevention, the use of special tools for detecting and correcting errors in the customer-specific SAP system configuration is also an option.

Virtual Forge SystemProfiler (alternatively: with it) can be used to determine all users who have extensive permissions to execute SQL Command Editor (DB02, DBACOCKPIT) and associated table permissions (S_TABU_SQL).

If a customer has connected its SAP systems to SAP Solution Manager, such tools can be used to automatically identify security gaps and vulnerabilities.

For example, regular checks can also be made for all SAP systems to ensure that all the necessary security patches have been applied to completely eliminate the security vulnerabilities in the SQL Command Editor.