As we were reviewing the list of SAP Security Notes from June we had a closer look at note 1844202 and would like to alert our visitors about the importance and risk of this vulnerability. At first, we did not realize the potential danger until we played around with it.
Please review and implement SAP Security Note 1844202 without any delays as it addresses an important flaw within SUIM, in particular with report RSUSR002. Didn’t we tell you not to hard-code any user-names? Well, this report has a piece of code that reads:
DELETE userlist WHERE bname = ‘…………’
which has some interesting consequences. User-ID’s with this user name will be excluded from the SUIM reports. This would allow someoene with access to SU01 to create such user-ID and assign SAP_ALL / SAP_NEW to that ID and not being detected.
Below a scenario. Let’s create such user-ID with SU01 (user-id is ‘…………’:
When you run RSUSR002 for all users with SAP_ALL, that user we just created doesn’t show up:
Now, let’s find the abap code responsible for this. You can run report: RPR_ABAP_SOURCE_SCAN and search for the string ‘…………’.
Voila! Here it is: DELETE userlist WHERE bname = ‘…………’
Related notes: 694250 SUIM|RSUSR002: Negative multiple selection for profiles (where the issue was introduced) and 1731549 Restricting the character repertoire for user names.