For the two previous weeks we’ve been discussing the top-9 critical areas [1] and the 33 steps to be taken for security assessment [2]. Ultimately, we’ve covered patch management flaws – the first critical category in our list. As you should have probably guessed, today it’s time we take a closer look at the next item from our list of critical issues – default passwords.

It is a wide reaching vulnerability with multiple attack vectors. As it requires little skill, default passwords vulnerability exploitation is now among the most frequently used ways of getting access to company’s data. Once installed, SAP system has several standard clients: 000, 001, 066. They all have high privileges set by default (usually, they have the SAP_ALL profile). When it comes to creating new clients, SAP system automatically generates default usernames and passwords.

In the version 6.10 of SAP Web Application Server, the so-called Master Passwords  [3] were first put into practice.
Users should be particularly careful, as the fact is, vendor’s default accounts and their passwords are well known. Have a look at the following table; we’ve gathered default passwords here for you:

USER PASSWORD CLIENT
SAP* 06071992, PASS 001, 066, Custom
DDIC 19920706 000, 001, Custom
TMSADM PASSWORD, $1Pawd2&  000
SAPCPIC ADMIN 000,001
EARLYWATCH  SUPPORT 066


Further steps

Some additional SAP components also have their unique default passwords. For example, old versions of such services as SAP SDM and SAP ITS have their own pre-installed default passwords.


After you have finished checking whether there are default passwords, you should check user passwords for simple dictionary passwords. We suggest that you use efficient password bruteforcing utilities, in particular, such utilities, as John The Ripper would fit you great. Alternatively you can use ERPScan Security Monitoring Suite.


Besides, default passwords should be checked in all associated systems.  Don’t forget to check your network equipment, operating systems and DBMS that store SAP system data. Oracle DBMS, for instance, contains a lot of default passwords, including those specific for SAP systems.


[EASAI-NA-03] Default password check for a SAP user


Description

The SAP* users are created in all clients immediately after installation. Those are dialog users who work via SAP GUI (user type = dialog). They perform all administrative tasks (and usually have the SAP_ALL profile). In case any SAP* user has been removed, after the system was rebooted one can login using standard PASS password and get all the corresponding SAP_ALL privileges.


Threat

Default passwords of SAP* users are well-known (see the table above). With these passwords, an adversary may enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.


Solution

  • First, give superuser rights to a SAP* user in all clients (do not remove it!). To do that, using SU01 transaction, select the SAP* user. After that, click on the Lock/Unlock icon (Ctrl+F5);
  • Set login/no_automatic_user_sapstar to 1 (RZ10 and RZ11 transactions). Note that in 3.1G and lower versions, the login/noautomatic_user_sap* parameter is used (for further information, see the SAP Security Note 68048 [4]);
  • Change the SAP* default password (using SU01 transaction);
  • Make sure that now the user belongs to the SUPER group in all clients. Go to SU01 transaction, select the SAP* user, click on the Change icon (Shift+F6), then on the Logon Data tab.

EASAI-NA-04 Default password check for the DDIC user


Description

The DDIC user is created in the clients 000 and 001 upon their installation (and copying). This default system user’s purpose is to perform system installation, renewal, configuration and operation. Its purpose can also be implementation of support packages, upgrade and background job runtime of Transport Tool background jobs triggered by the tool.
In case the client is 000, this user belongs to a dialog type, it has the right to enter the system via SAP GUI and perform any actions.
In all the other clients it is a system type user, it may perform background processing and it can interact with the system. SAP_ALL and SAP_NEW profiles that grant access to all the functions of the SAP are defined for this user.


Threat

The DDIC user default password is well-known (see the table above). With these passwords, an adversary can enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.


Solution


WARNING! Do not remove the DDIC user or its profile! The DDIC user is necessary for performing certain tasks, such as installation or updating.  It can also interact with ABAP dictionary. The DDIC user removal results in a loss of functionality in these areas. But it is acceptable (and highly recommended by some resources) to remove it in all clients except 000.

  • In 000 client change the user type to SYSTEM;
  • Remove SAP_ALL profile;
  • Lock out the DDIC user. Unlock it if needed only. Notice that transport system executes certain programs on behalf of the DDIC user;
  • Change the default password for the DDIC user;
  • Make sure that the DDIC user belongs to the SUPER group in all clients. Only authorized administrators have the right to modify this account.
  • Regularly perform checks of system clients to those illicit ones.

[EASAI-NA-05] Default password check for the SAP user


Description

The SAPCIPIC user is used in transportation system of SAP solutions (in 4.5A and lower versions). It is a communication type user. It is mostly used for EDI (Electronic Data Interchange). It may also transport RFC calls without dialog boxes.
So, this user does not have dialog type user privileges, though it has the S_A.CPIC profile. As a result, critical are the following authorization objects:

  • the S_CPIC (to call for CPIC functions from ABAP/4 programs),
  • S_DATASET (with privileges to access files from ABAP/4 programs), and
  • S_RFC (authorization check for RFC access to program modules, for example, to a functional group).

Threat

Default passwords of SAPCPIC user is well-known (see the table above). With these passwords, an adversary can remotely execute RFC requests (e.g. start some OS programs); execute arbitrary OS commands through RFC vulnerabilities (e.g. TH_GREP); create dialog users with any privileges to enter the system and get an unlimited access to the data.


Solution

Remove SAPCPIC user if you do not need it. If the user is still necessary:

  • Change the default password for SAPCPIC user;
  • Lock out SAPCPIC user. Unlock if necessary only;
  • If this user is required for EDI purposes (e.g. by contractor), never transmit this password via a remote session. It is also preferable to use separate communication channel, e.g. e-mail. Change the password immediately after the remote session is over;
  • Make sure that this user belongs to SUPER group in all clients, so as to be certain that only authorized administrators have the right to change this user’s account;
  • Determine a special user for remote access. Do not use any default users;
  • Perform regular checks of your clients to eliminate the risk of illicit access.

[EASAI-NA-06] Default password check for TMSADM user


Description

The TMSADM user is used for transfers through the transport system. It is created automatically upon configuration and changes of Transport Management System (TMS) via the 000 client.
It is a communication user, in other words, it is often used falsely to transport external RFC calls without dialog boxes. It has the assigned S_A.TMSADM authorization profile enabled to utilize RFC-functions with GUI and to write to a file system. SAP_ALL profile is also often assigned to this user.


Threat

The default password of TMSADM user is well-known. An adversary may remotely start RFC requests to perform critical actions such as deletion and reading files (EPS_DELETE_FILE, EPS_OPEN_FILE2); arbitrary ABAP code execution (through the RFC_ABAP_INSTALL_AND_RUN or TTMS_CI_START_SERVICE function vulnerabilities), and, using BAPI_USER_CREATE1 and SUSR_RFC_USER_INTERFACE requests, to create a dialog user and, consequently, to enter the system and get an unlimited access to business data.


Solution

  • Change the default password of TMSADM user; to change this password (according to Note 1414256 [5]) you should:   
    • Enter the 000 client under any user with administrative rights.
    • Start the TMS_UPDATE_PWD_OF_TMSADM program with the ABAP editor (the SE38transaction). There are three ways to change the TMSADM password:      
      • to enter your own password
      • to set a new standard password (Note 761637, $1Pawd2&), or
      • to set an old standard password (PASSWORD);
    • Select the option “To enter your own password” in the dialog box and enter the new password;
    • Start the program
  • Make sure that this user belongs to the SUPER group in all clients.  This way you will be certain that only authorized administrators have the right to change this user’s account;
  • Determine a special user for the remote access. Do not use any of default users;
  • Perform regular checks for your clients to eliminate the risk of illicit access.

Additionally, it is better to apply security notes related to vulnerabilities in the programs which TMSADM user can execute, such as:

  • SAP Security Note 1298160 for vulnerabilities in TTMS_CI_START_SERVICE;
  • SAP Security Note 1330776 for vulnerabilities in EPS_DELETE_FILE and EPS_OPEN_FILE2.

[EASAI-NA-07] Default password check for the EARLYWATCH user


Description

The EarlyWatch user is created in the 066 client upon SAP installation and is related to a dialog type. It can enter via SAP GUI and perform any actions to the system. One can use it for SAP distance remote management and to get access to monitoring data. As a rule, it is used by SAP AG customer support to enter customer’s systems. Change the default password for EarlyWatch user, but never delete the user.


Threats

EarlyWatch user’s default password is well-known (see the table above). With this password, an adversary can enter the system using the S_TOOLS_EX_A profile and, consequently, perform various critical actions (for example, access any files, view sensitive tables or display external statistics records via the control tools). In old versions – 6.4 and lower, users could execute critical transactions such as SE37 (function modules execution) and SE38 (running reports). In the new versions, it has fewer privileges, but it can exploit some vulnerabilities, such as the TH_GREP call with the SM51 transaction and, consequently, execute arbitrary OS commands.


Solution


Warning!Do not remove Earlywatch user or its profile!

  • Lock out EARLYWATCH user. Unlock if necessary only;
  • Change the default password for the EARLYWATCH user;
  • Ensure that this user belongs to the SUPER group in all clients so that to be certain that only authorized administrators have the right to change this user’s account;
  • Perform regular checks of your clients to eliminate the risk of illicit clients’ access to the system.

By now you should have noticed the ease and clarity with which we tried explain to you some technical subjects. You should also have noticed and wondered how we managed to make the list of critical issues that brief. You may even have marveled at how sometimes we point out what it all means, what it’s good for, and why should you care. It’s completely up to you, but if you like our articles we strongly recommend that you stay with us as in two weaks well come back with the descriprion of the next critical issue.

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

  1. Martin English

    Thanks for the marketing 🙂

    There is no default password for SAP*, DDIC, or <sid>admin in the installation of modern SAP Web Application Servers. The fact that you are unaware of this (or deliberately ignoring it) gives rise to a lack of credibility.

    hth

    (0) 
    1. Julius von dem Bussche

      This was a very good move on SAP’s part indeed (initial passwords set by customer in the installation procedures). But older installations are still around and you can still bump into DDIC and SAP* from time to time.

      SAPCPIC should simply be deleted. Urban legends about RFC connections needing SAPCPIC are however still around. All false. You also do not need any user of type C at all anymore – obsolete but still in circulation on older installations.

      EARLYWATCH is also not correct here IMO. You can now delete the entire client 066 (see SAP note 1897372) and along with that EARLYWATCH will be sent into the netherworld as well.

      Cheers,

      Julius

      (0) 
      1. Julius von dem Bussche

        ps: TMSADM deserves a blog all on its own. It is much more complex than just the password and default authorizations. It is an institution with a lot of organizational aspects also linked to management of DDIC and design of the CTS routes, Charm, external schedulers, upgrades. In the case of TMSADM I even consider the password to be the lesser evil and the patching, the user type ❗ and design of the CTS delivery and SCC4 / SE06 / authorization settings to be more important than the password.

        Main reason is that even if you change the password, it is still stored in the secure storage of the connection, so you don’t actually need to know what the password is.

        Cheers,

        Julius

        (0) 
        1. Alexander Polyakov Post author

          The phrase “TMSADM deserves a blog all on its own” looks quite strange because all recomendations about TMSADM were copy-pasted from SAP’s security notes, so finally it means that SAP deserves it’s own, is that what you trying to say)?

          (0) 
          1. Julius von dem Bussche

            I did not realize that you were simply copy&pasting text from SAP notes into blogs. Please avoid reproducing copies of SAP information which might change.

            TMSADM is an age old secret passed on from generation to generation of basis admins. The first signs of problems related to the user type which SAP changed to SYSTEM. That is IMO the most important change made.

            The password in relation to the user’s (correct) authorizations is considered a configuration convenience. Even if you change the password, it will be saved into the domain controller’s connection data so misuse from a source system in the domain does not need the password. As with all RFC connections of this type, the authorizations of the user are more important than the password management to avoid attacks against the system.

            Luckily SAP is making a more clearer distinction between Java stack systems and ABAP systems. That helps a lot as well.

            Cheers,

            Julius

            (0) 
          2. Kay Siebers

            Hi Alexander,

            Thanks for compiling these recommendations.

            You should also look for OSS note 1749142 – “How to remove unused clients including client 001 and 066”.

            Regarding Client 066:

            “… This client is not used anymore, therefore you can safely remove the client 066 if available. (Note 7312 shows some more information about this client.)

            SAP NetWeaver 7.40 is the last release delivering the client 066 with the installation or upgrade….”

            Cheers,

            Kay

            (0) 
      2. Alexander Polyakov Post author

        Thanks for update Julius.

        Regarding SAPCPIC, we notified that this user can be deleted if it is not used, however there is no official prove form SAP that nothing will happen in every installation if this user will be deleted.

        Regarding Earlywatch thats really great that now there is official note with prove from SAP that earlywatch can be deleted and we will add this to updated document.

        As you can see, we know that most of those users can be simply deleted in 99% of systems, but until there is a small chance that this may affect productivity, we will never recommend it until SAP clearly will tell that those users are not necessary.

        Our goal is to provide recommendations to secure systems with minimum efforts, so changing default password and locking user seems to be the best option if we take into account security business continuity and availability all together.

        (0) 
        1. Julius von dem Bussche

          Yes, of course you must check that something is not used before you delete it (or change the password and lock it).

          If the later works fine, then the former does as well in the case of SAPCPIC, EARLYWATCH and 066.

          Just a bigger hammer with less effort..  🙂

          Cheers,

          Julius

          (0) 
    2. Alexander Polyakov Post author

      Dear Martin, definitely SAP did a great steps in terms of making new SAP Systems secure by default without providing default passwords, however if you or me or any other person with good expertise know about this problems it doesnt mean that everybody knows that.

      Acoording to our penetration tests statistics i every company we saw at least one system with one default password. Our goal here is to tell where can be problems and how to solve them.

      (0) 

Leave a Reply