Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Вектор атаки на SAP — система CUA
1.
2. SAP CUA as
an SAP Attack Vector
Dmitry Gutsko
Business System Security Assessment Group
Positive Technologies
PHDays IV
3. Agenda
― What is SAP CUA?
― Deployment schemes
― SAP CUA user privileges
― Attack vectors
• Compromising a child system
• Analysis of network packets
― Protection/Countermeasures
4. What is SAP CUA?
SAP HCM
SAP CRM
SAP ECC
SAP BW
SAP FI
SAP CUA
5. What is SAP CUA?
SAP CUA
Central
System
Child
System
Child
System
Child
System
12. Attack vectors
― Compromising SAP CUA central system
No comments
― Compromising a child system
1. Bypassing a SAP CUA child system’s restrictions
2. Escalation of privileges in the SAP CUA model
3. Gathering information in the SAP CUA model
― Compromising a network
4. Intercepting data sent between child and central systems
18. Bypassing a SAP CUA child system’s restrictions
― Create a user: Execute FM BAPI_USER_CREATE1 (transaction
SE37) in a child system
― Change a password:
Edit the USRFLDSEL table (transaction SE16n) in a child system
― Assign a profile/role:
Edit the USRFLDSEL table (transaction SE16n) in a child system
20. SAP CUA
Central
System
Child
System
Child
System
Child
System
Child
System
SAP CUA users
SAP_BC_USR_CUA_CLIENT
SAP_BC_USR_CUA_SETUP_CLIENT SAP_BC_USR_CUA_CENTRAL
SAP_BC_USR_CUA_CENTRAL_BDIST
SAP_BC_USR_CUA_SETUP_CENTRAL
RFC Connection to the
central CUA system
RFC Connection to a child
CUA system
Attacker
RSECTAB, RFCDES tables = User credentials
SE37 transaction = FM remote execution
22. Escalation of privileges in the SAP CUA model
― Reassign a User-System:
Execute FM BAPI_USER_SYSTEM_ASSIGN (SE37)
(Role SAP_BC_USR_CUA_SETUP_CENTRAL)
― Assign a profile:
Execute FM BAPI_USER_LOCPROFILES_ASSIGN (SE37)
(Role SAP_BC_USR_CUA_SETUP_CENTRAL)
― Assign a role:
Execute FM BAPI_USER_LOCACTGROUPS_ASSIGN (SE37)
(Role SAP_BC_USR_CUA_SETUP_CENTRAL)
― Gather information (continued)
23. Gathering information about the SAP CUA model
― CUA Users/hashes:
Execute in the central system
FM RFC_READ_TABLE (USR02, USH02, …)
(Role SAP_BC_USR_CUA_CENTRAL)
― The CUA model:
Locally execute Transaction SCUA
Execute in a central system
FM RFC_READ_TABLE (USZBVSYS, …) = CUA logs
Read local tables RFCDES, RSECTAB = RFC destinations
26. Sending user credentials to a child system
RFC account password recovery
UserID
Encrypted password
Length
For gamma
generating
XORed
password
Password
28. Obtained account sent to a child system
― Get user list:
Execute FM BAPI_USER_GETLIST (SE37)
(Role SAP_BC_USR_CUA_SETUP_CLIENT)
― Create users:
Execute FM BAPU_USER_CREATE1 (SE37)
(Role SAP_BC_USR_CUA_SETUP_CLIENT)
― Assign privileges:
Execute FM BAPI_USER_PROFILES_ASSIGN (SE37)
(Role SAP_BC_USR_CUA_SETUP_CLIENT)
― Lock/Unlock users:
Execute FM BAPI_USER_LOCK/BAPI_USER_UNLOCK (SE37)
(Role SAP_BC_USR_CUA_SETUP_CLIENT)
29. Protection/Countermeasures
― Do not combine SAP systems of various security classifications in
a single CUA model
― Delete SETUP roles for CUA users
― Apply Note 1997455 or modify SAP_BC_USR_CUA_CENTRAL role
― Activate table logging (USRFLDSEL)
― Enable SNC encryption for RFC connections
― Use trusted connections; assign S_RFC, S_ICF, S_RFCACL
authorization objects to system users
― Control access to critical transactions: SM49, SE37, SCUA, ST04,…
― Configure ACL for SAP Gateway
― Do not forget about other clients
31. Additional information
Transactions:
SCUA– Display System Landscape (CUA model)
SCUL– Log Display for Central User Administration
SCUM – User Distribution Field Selection
SCUG – Central User Administration Structure Display
SE37- ABAP Function Modules
Notes:
492589 – Minimum authorizations for communication users
333441 - CUA: Tips for problem analysis
376856 - Password synchronization - Single Sign-On/CUA
1997455 - Potential information disclosure in BC-SEC-USR-ADM
Tables:
USZBVSYS - CUA: Assignment of Systems to Users
USRFLDSEL- CUA: Field Attributes