In April 2019, SAP Gateway and Message server security became talk of the town. Malicious cyber actors can attack and compromise SAP unsecure systems (Systems without proper message server and Gateway ACLs and required parameters) with publicly available exploit tools, termed “10KBLAZE”. Read https://www.us-cert.gov/ncas/alerts/AA19-122A
I tried this released Python program and I was able to get SIDADM authorizations within a minute without any credentials. It is quite unnerving.
To secure SAP systems from this vulnerability, we need to follow steps mentioned in notes 821875, 1421005 and 1408081.
Message server ACLs are normally straightforward to maintain but it is quite overwhelming to write Gateway ACL files- secinfo and reginfo. It could impact operations if we deny access to legitimate programs/servers.
I developed Java program which helps analyze Gateway logs (gw_log*) and automatically generates secinfo and reginfo files making SAP system administrator’s life easy.
Java program is available as open source at https://github.com/vinodpats/gwlogsanalyzer10KBlaze
Follow below steps to utilize this Java program.
- Turn on Gateway simulation using profile parameter gw/sim_mode =1
- Update profile parameter gw/reg_no_conn_info value as per Note 1444282. Higher the better.
- Change profile parameter gw/acl_mode=1
- Use centralized ACL files by setting below profile parameters:
You may want to have separate ACL per application server (instead of centralized ACLs) due to some business reasons. In this case note standard file locations.
5. Turn on GW logging (refer note 2527689).Maintain this in profile as well. Change Parameter gw/logging=ACTION=SsPZ LOGFILE=gw_log-%y-%m-%d SWITCHTF=day
Note that gateway security is still in simulation mode. System will now start generating logs in work directory. Daily log file could be 100s of lines based on system configuration.
After couple of weeks, copy all log files to say c:\gwlog directory.
Run this Java program and provide logs directory path(c:\gwlog). The program will analyze all logs and generate secinfo and reginfo files.
Now follow last 2 steps:
6. Analyze the entries in these files (update if required) and then keep these files at $(DIR_GLOBAL) path.
7. Finally turn off simulation mode changing profile parameter gw/sim_mode =0.
Kindly use these instructions with caution and keep systems safe !!