// // Escribe un comentario

Transaction SE16N vulnerability

Please restrict access to SE16N in your production systems.  If you're sufficiently paranoid, you may want to remove the transaction it completely

I've known for a while that, in some releases of SAP, transaction SE16N can be used to change SAP tables, regardless of authorisations or security settings. It's not something I've been keen to see widely disseminated, as there are major systemic risks in making changes this way. More dangerously, it provides a way to override authorisations by giving your userid (or your accomplice's userid) the SAP_ALL role.

SE16N, before entering &SAP_EDIT in the command field

Essentially, you run transaction SE16N, then type &SAP_EDIT into the command field and press enter.

SE16N, AFTER entering &SAP_EDIT in the command field

In the example below, I've changed the User Group to SUPER.

SE16N, changing User Group to SUPER

Personally, I'd recommend making the transaction unavailable (perhaps even removing it from TSTC ?) in your production system - Your firefighter userid can be given authorisation to allow the appropriate people to add it back in, if necessary.

The reason for mentioning it at all is that SAP Mental Notes and IT-Toolbox SAP on DB2 for z/OS have stated that changes using this method are permanently logged in the tables listed below:


SE16N_CD_KEY : Change Documents – Header
SE16N_CD_DATA : Change Documents – Data

This means, in theory, that you can can query these tables to audit the usage of SE16N to change data. My attitude is that it's all well and good knowing Joe Bloggs has broken your system, but I would rather not have to deal with the broken system in the first place. However, there's a bigger issue.....

When I tested this out on an ECC6 IDES system (DB2 on Windows 2003), the SE16N_CD* tables were not updated.

SE16N, ECC6 IDES, does not appear to update the SE16N_CD* tables

1 - The knowledge of this method of changing data, which is available on production systems to anyone with access to the SE16N transaction is being more widely disseminated.

2 - There appears to be at least one major platform / release that does not support audit of the method of changing data.

Martin English Active Contributor Silver: 500-1,499 points - I am a Netweaver Technical Consultant for CSC Australia, supporting the complete SAP lifecycle from pre-sales planning through to decommissioning. The opinions expressed here very rarely coincide with those of my employer, customers, or indeed any one else. This is written by me, not them.

Reblogged from Sdn.sap.com

0 comments:

Publicar un comentario

Nota Importante: los comentarios son para agradecer, comentar o sugerir cambios (o hacer preguntas) sobre el artículo de arriba.


Para otras preguntas, por favor envíe su consulta aquí, es gratis!. Su consulta no molesta, le responderemos a la brevedad