Currently Being Moderated
Martin English

Transaction SE16N vulnerability

Posted by Martin English in Security on Oct 9, 2009 5:41:56 AM

Please restrict access to SE16N in your production systems.  If you're sufficiently paranoid, you may want to remove the transaction it completely

I've known for a while that, in some releases of SAP, transaction SE16N can be used to change SAP tables, regardless of authorisations or security settings.  It's not something I've been keen to see widely disseminated, as there are major systemic risks in making changes this way.  More dangerously, it provides a way to override authorisations by giving your userid (or your accomplice's userid) the SAP_ALL  role. 

SE16N, before entering &SAP_EDIT in the command field


Essentially, you run transaction SE16N, then type &SAP_EDIT into the command field and press enter.

SE16N, AFTER entering &SAP_EDIT in the command field


In the example below, I've changed the User Group to SUPER.

SE16N, changing User Group to SUPER


Personally, I'd recommend making the transaction unavailable (perhaps even removing it from TSTC ?) in your production system - Your firefighter userid can be given authorisation to allow the appropriate people to add it back in, if necessary.

The reason for mentioning it at all is that SAP Mental Notes and IT-Toolbox SAP on DB2 for z/OS have stated that changes using this method are permanently logged in the tables listed below:
SE16N_CD_KEY : Change Documents – Header
SE16N_CD_DATA : Change Documents – Data

This means, in theory, that you can can query these tables to audit the usage of SE16N to change data. My attitude is that it's all well and good knowing Joe Bloggs has broken your system, but I would rather not have to deal with the broken system in the first place.  However, there's a bigger issue.....

When I tested this out on an ECC6 IDES system (DB2 on Windows 2003), the SE16N_CD* tables were not updated.

SE16N, ECC6 IDES, does not appear to update the SE16N_CD* tables


1 - The knowledge of this method of changing data, which is available on production systems to anyone with access to the SE16N transaction is being more widely disseminated.

2 - There appears to be at least one major platform / release that does not support audit of the method of changing data.



Filter Blog

By author:
By date:
By tag: