Skip to Content
Technical Articles

SAP Gateway ACL (secinfo, reginfo) Generator (10KBlaze fix)

In April 2019, SAP Gateway and Message server security became talk of the town. Malicious cyber actors can attack and compromise SAP unsecure systems (Systems without proper message server and Gateway ACLs and required parameters) with publicly available exploit tools, termed “10KBLAZE”. Read https://www.us-cert.gov/ncas/alerts/AA19-122A

I tried this released Python program and I was able to get SIDADM authorizations within a minute without any credentials. It is quite unnerving.

To secure SAP systems from this vulnerability, we need to follow steps mentioned in notes 821875, 1421005 and 1408081.

Message server ACLs are normally straightforward to maintain but it is quite overwhelming to write Gateway ACL files- secinfo and reginfo. It could impact operations if we deny access to legitimate programs/servers.

I developed Java program which helps analyze Gateway logs (gw_log*) and automatically generates secinfo and reginfo files making SAP system administrator’s life easy.

Java program is available as open source at https://github.com/vinodpats/gwlogsanalyzer10KBlaze

 

Follow below steps to utilize this Java program.

  1. Turn on Gateway simulation using profile parameter gw/sim_mode =1
  2. Update profile parameter gw/reg_no_conn_info value as per Note 1444282. Higher the better.
  3. Change profile parameter gw/acl_mode=1
  4. Use centralized ACL files by setting below profile parameters:

gw/sec_info=$(DIR_GLOBAL)/secinfo

gw/reg_info=$(DIR_GLOBAL)/reginfo

You may want to have separate ACL per application server (instead of centralized ACLs) due to         some business reasons. In this case note standard file locations.

5. Turn on GW logging (refer note 2527689).Maintain this in profile as well. Change Parameter                gw/logging=ACTION=SsPZ LOGFILE=gw_log-%y-%m-%d SWITCHTF=day

Note that gateway security is still in simulation mode. System will now start generating logs in work directory. Daily log file could be 100s of lines based on system configuration.

After couple of weeks, copy all log files to say c:\gwlog directory.

Run this Java program and provide logs directory path(c:\gwlog). The program will analyze all logs and generate secinfo and reginfo files.

Now follow last 2 steps:

6. Analyze the entries in these files (update if required) and then keep these files at  $(DIR_GLOBAL) path.

7. Finally turn off simulation mode changing profile parameter gw/sim_mode =0.

Kindly use these instructions with caution and keep systems safe !!

3 Comments
You must be Logged on to comment or reply to a post.
  • Hello Vinod, all

    Just wanted to let you know that, depending on the SAP NetWeaver (SAP_BASIS component) release and Support Package (SP) level, there is already an option to generate an initial reginfo/secinfo file within SAP itself.

    Go to the transaction SMGW, menu Goto -> Expert functions -> External security -> Maintain ACL files. Then, under each tab (Secinfo File; Reginfo File) there is a “log analysis” button.

    This will analyze the Gateway logging (step #5, above) and suggest the corresponding rules.

    Best regards,

    Isaías

    • Hello Isaías,

      Yes that’s right. Unfortunately our client system is still on NW 7.01 hence this tool was missing.

      I actually tested this new tool in demo NW 7.5 system and it looks like it proposes secinfo and reginfo based on connection rejections:)

      Thank you for your comment.

       

      Regards,

      Vinod Patil