Skip to Content
Technical Articles

RFC Gateway security, part 4 – prxyinfo ACL

From my experience the RFC Gateway security is for many SAP Administrators still a not well understood topic. As a result many SAP systems lack for example of proper defined ACLs to prevent malicious use.

After an attack vector was published in the talk “SAP Gateway to Heaven” from Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai (https://github.com/gelim/sap_ms) the RFC Gateway security is even more important than ever. This publication got considerable public attention as 10KBLAZE.

With this blogpost series i try to give a comprehensive explanation of the RFC Gateway Security:

Part 1: General questions about the RFC Gateway and RFC Gateway security.

Part 2: reginfo ACL in detail.

Part 3: secinfo ACL in detail.

Part 4: prxyinfo ACL in detail.

Part 5: ACLs and the RFC Gateway security.

Part 6: RFC Gateway Logging.

 


prxyinfo ACL

 

Please make sure you have read at least part 1 of this series to be familiar with the basics of the RFC Gateway and the terms i use to describe things.

What exactly is defined in the rules in the prxyinfo ACL?

The prxyinfo ACL contains rules related to ‘Proxy to other RFC Gateways.

Every line corresponds one rule. A rule defines

    • if it specifies a permit or a deny. This is defined by the letter P or Dat the beginning of a rule.
    • which source is allowed to proxy. This is defined in SOURCE=.
    • which target is allowed to be reached. This is defined in DEST=.

What are the common use-cases?

The RFC Gateway may be used to circumvent network level restrictions. For example a SAP system ‘SRC’ cannot directly connect to the SAP system ‘TGT’. The system ‘SRC’ can connect to the stand-alone RFC Gateway ‘PXY’. The stand-alone RFC Gateway ‘PXY’  is allowed to connect to ‘TGT’. In this scenario system ‘SRC’ may proxy requests via ‘PXY’ to the target system ‘TGT’.

To identify this use case on system ‘SRC’ we can look for any connection in transaction SM59 with ‘Gateway Host’ different to the IP address or hostname of any application server of the same system where the ‘Target Host’ is not directly accessible from at least one of the application servers of the same system, e.g.,:

To identify if a RFC Gateway is used to proxy requests we have to look at the log files of the RFC Gateway and search for ‘prxyinfo accepted:’ or ‘prxyinfo denied:’, e.g.,:

SAP introduced an internal rule in the in the prxyinfo ACL to allow proxying :

P SOURCE=* DEST=*

This rule is applied when no custom prxyinfo ACL was defined.


<–Previous

Next –>

Be the first to leave a comment
You must be Logged on to comment or reply to a post.