Information disclosure

Information disclosure is a potential security risk. Most IT software has a way to show the exact software version. This detailed information can be useful for an end user submitting an incident. Or for an administrator to know if certain patching is needed for an IT system.

But the detailed version information can also be used by a hacker to know if the system is vulnerable for some known attacks (and the system is not yet patches with the fix).

Hence for IT systems one should be careful and conscious about showing detailed version information: this is called information disclosure.

Known information disclosure items

ABAP System / Status

In ABAP stack, you can reduce the information in System/Status via authorizations. See OSS note 2658772 – System -> Status: Restriction of the available information.

Web administration interface

The web administration interface is a very known one. How to solve, read this blog.

Information disclosure security notes

Every month SAP release security notes (see blog). For the SAP systems that are internet facing (like portals, Netweaver Gateways, PI systems), check and apply the information disclosure notes as soon as possible. For the other systems, apply them at your normal security cycle speed.

Information disclosure of SAP Web Administration Interface

Despite the fact that this is a know issue, in many cases still it is seen that the SAP web administration interface is still set to fully public. This way an attacker can still retrieve vital release information.

You should check this carefully, also for newer system installations, this might be not ok.

Questions that will be answered in this blog are:

  • What is the web administration interface?
  • Why is it dangerous to have this public?
  • How to close the gap and make the web administration interface shielded again?

What is the web administration interface?

The web administration interface can be started on your netweaver system by using a browser and keying in <host:port>/sap/admin/public/index.html:

Here you can see the status and also the version information:

If you keyed in the URL and you got a password prompt like this:

If you did not get it, that means this page is still public.

Why is this public release information dangerous?

This page is present in ABAP, JAVA stacks and webdispatcher. Portals and Netweaver gateway systems are often exposed to external world for partners, customers and suppliers. If you did not do a good job on security with reverse proxies and the SAP systems themselves, this page is available on internet. Hackers scan for it, get the release information and know if you are vulnerable or not.

Dangerous? Yes, very. See the last very high Hotnews security note on ICMAD:

How to solve the issue?

The solution is described in OSS note 2260323 – Internet Communication Manager (ICM) 7.20 security settings and more specifically in OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface.

The solution is to set the sub parameter ALLOWPUB (it is a sub parameter of icm/HTTP/admin) to NO. See screen shot on how to see the sub parameters:

Checking if it is done properly is simple: start the page again and see that it disabled: