Why should I retire my SAP Oil & Gas “CALL SYSTEM” “API-C” usage?
As described in the blog article “Complete compromise of an SAP system” (Protect4S SAP Security automation), if one member of the “Operating System – Database – SAP System” trio falls, they all fall. Gaining access to “rsbdcos0” is named as a method by which operating system calls could be executed by a SAP user, but why bother when “CALL SYSTEM” is being used?
“CALL SYSTEM” can be used in a legacy SAP Oil & Gas system environment to execute external files (generally referred to as “API-C” calculations) creating risk of an uncontrolled “bridge” within an ERP-level SAP Oil & Gas system to trigger operating system (OS) – level executable files. This is of serious concern for the following reasons:
- As defined in the SAP Note 23697 from 1996, ““call system” should not be used and is not released by SAP for customer applications.”
- The “SAP Code Vulnerability Analyzer” defines “CALL SYSTEM” usage as a serious vulnerability.
- If external executables are being used, every SAP user performing business processes involving SAP Oil & Gas bulk materials, must have the “CALL SYSTEM” authorization – i.e. the ability to execute programs at the OS level as the SAP system – not the user themselves.
- OS access is required and files must be installed and maintained at the OS-level raising security complexity.
- OS dependency prevents migration to alternative operating systems or usage in hosted / cloud environments.
- Calculation results can be OS- and / or compiler-dependent.
- One executable represents a single historical standard.
- Obfuscation – the content of a compiled executable is not transparent.
- Many such implementations require excessive BAdI usage (custom ABAP-Code), which is difficult to control and maintain.
- Executable maintenance and management causes process complexity and error – it has been known for “the wrong executable” to have been used in productive systems.
- No automated SAP Oil & Gas-internal validation methods are available for the results of such calculations, e.g. during lifecycle events (upgrade / CSP application / platform transferal, etc.).
For all the above reasons, we urge SAP Oil & Gas system owners to migrate from operating-system-level dependent calculations to ERP-internal calculations, using our BCP product as described here: https://www.quantityware.com/wp-content/uploads/BCP_3.0_Legacy_Implementation_Migration_and_Validation_Manual.pdf
As described in the “QuantityWare Security Bulletin – Cyberattack Risks for Oil and Gas Companies”, a comprehensive solution is required to meet modern GRC expectations and security requirements around SAP Oil & Gas systems.