Security of the SAProuter
On https://service.sap.com/securitynotes -> News you can find a new spotlight news from 12.11.2013 about Security Notes concerning the SAP Router:
This news refers to security notes published back in May 2013 and older but which are still open in many customer intallations. The underlying security vulnerability is named in various publications, e.g. in this one on the RSA Conference in Singapore in June 2013: The State Of SAP Security 2013: Vulnerabilities, Threats and Trends from Alexander Polyakov.
You run at least one SAP Router installation within your DMZ which is connected to the internet:
Within this blog here I like to summarize the instructions how to secure the SAP Router. Please feel free to comment on this blog to support me in improving this documentation.
Most important activities:
- SAP recommends to upgrade any (active) SAP Router installation as soon as possible
- Activate SNC to encrypt the communication channel to SAP support
(or use hardware encryption using IPSEC)
- Use an access control list (saprouttab) to limit connectivity
As the SAP Router is an independent and compatible piece of software you can update it without touching other parts of the Kernel – in fact most of the active SAP Router installations are installed on other servers than the application servers of any ABAP system anyway. Therefore SAP recommends to use the latest release everywhere. Currently you can find the releases 7.20 and 7.21 on http://service.sap.com/patches using the search. However, I assume, that release 7.20 perfectly works fine.
Note 1921693 explains how to get and update the SAP Router.
Caution: In opposite to an update of the saprouttab which can be done without restarting the SAP Router (option -n) any active connection will be stopped while replacing the executables.
Neither the EWA / RSECNOTE nor the application System Recommendations in the SAP Solution Manager can tell you if your SAP Router installations are up to date as both tools have only access to the Kernel version (disp+work) of the ABAP system itself. Therefore you have to find any outdated SAP Router installation by yourself. If you have configured the SAP Solution Manager to manage SAP Router installations you can use transaction SOLMAN_SAPROUTER to find installations which are known by the SAP Solution Manager.
These security notes are part of the latest version of the SAP Router:
- Note 1820666 – Potential remote code execution in SAP Router
An attacker could possibly exploit SAP Router in order to take control of an SAP application, including viewing, changing, or deleting data.
- Note 1663732 – Potential information disclosure relating to SAP Router
An attacker could possibly discover information relating to SAP Router connections if SAP Router is used for Internet communication, and if it is started with the option “-n”. This information could be possibly abused to specialize attacks against the application server.
Architecture with IPSEC (hardware based)
Architecture with SNC (software based / certificate based)
- Note 1895350 gives some more recommendation on the secure configuration of SAP Router
- Note 1853140 describes the recommendation from SAP not to use the remote administration option of the SAP Router.
- Note 48243 explains how to integrate the SAP Router into a firewall.
- SAP Router Entry page
- Creating a Route Permission Table
- Option -S to change the default port
- Option -n to update the saprouttab without restarting the SAP Router
Documentation on SMP:
- Step by Step Procedure for SAP Router SNC Configuration
- SAProuter – SNC or VPN?
- Getting Started with SAProuter – Tutorials
These documents all together propose additional activities:
- Change the default port
- Use an SAP Router password for SAP Support
New, June 2014: Do you know about the new option to change the “SAP Router password for SAP Support” for all systems with a single step?
In the past you had to change the password for every system individually. If you run many systems this would be a nightmare, simply killing the option to do it.
Now you find a tiny checkbox in the Service Connection settings labelled with “Apply the changes to all the systems this SAP Router is assigned to“. Using this option you can efficiently set a new password. (If you are using an “Additional SAP Router” you still need to set the password individually for this additional SAP Router.)
If you are running SAP Solution Manager 7.1 you have additional options to monitor and manage the SAP Router.
Active Global Support