Topics:

1. Introduction
2. Security Contact
3. Update Kernel according to notes 1785761 and 1800603
4. Mitigation, workaround, best-practice for Kernel update
5. RFC Security in general
6. Message Server security in general

1. Introduction

SAP published two HotNews security notes about the kernel in February 2013.

Note 1785761 - Missing authorization check in RFC

https://service.sap.com/sap/support/notes/1785761

CVSS Base Score: 9.0
CVSS Base Vector: AV:N/AC:L/AU:S/C:C/I:C/A:C

Note 1800603 - Potential remote code execution in Message Server

https://service.sap.com/sap/support/notes/1800603

CVSS Base Score: 10.0
CVSS Base Vector: AV:N/AC:L/AU:N/C:C/I:C/A:C

This documentations shows best-practices about preparing and implementing the corrections.

Stay tuned to receives updates as we are going to extend this document from time to time. 

2. Security Contact

Please register yourself as security contact for your organization in the SAP Service Marketplace database.

https://service.sap.com/securitycontacts

As such SAP knows that you are a dedicated contact for security-related news and you will receive Ad-hoc SAP Product Security Notifications. Those are send out for very important security-related news.

There are two ways of registering yourself as security contact:

• You can contact the SAP Super Administrator of your company and request to get the required authorizations to become a security contact.
  http://service.sap.com/myprofile -> Display my Super and User Administrators
• You can create a Customer Message in the XX-SER-SAPSMP-USR component requesting further help.
  https://service.sap.com/message

SAP Super Administrators can remove their security contact role once they nominate another user as security contact.

3. Summary: Update Kernel according to notes 1785761 and 1800603

You can cover both notes by upgrading the Kernel (disp+work and msg_server) at least to following patch levels:

SAP KERNEL 7.20  patch 402
SAP KERNEL 7.21  patch 42
SAP KERNEL 7.38  patch 7
SAP KERNEL 8.04  patch 27

Keep in mind that both system types, ABAP and Java, contain a message server and are therefore affected.

If you are still running a kernel or message server on release 7.00, 7.01, 7.10, or 7.11 SAP strongly recommend to upgrade the kernel to release 7.20.  Note 1636252 describes how to install the downward-compatible kernel:

Note 1636252 Installing a 7.20 kernel in SAP Web AS 7.00/7.01/7.10/7.11

https://service.sap.com/sap/support/notes/1636252

Older release up and including 6.40 are not affected by the issue.

4. Details: Information, mitigation, workaround, best-practice for Kernel update

a) Note 1800603 BC-CST-MS - Potential remote code execution in Message Server

SAP treats this vulnerability as very critical (CVSS Base Score = 10, Priority = HotNews) mainly because of the following:

• An exploit (in form of a proof-of-concept) is published on the internet:
  http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities
• An attacker does not need any authentication (see CVSS Base Vector of the note) and can misuse the vulnerability just if  network access is available. 

To solve the issue it is sufficient to update the message server file msg_server.exe (Windows) respective msg_server (others) !

Keep in mind that both system types, ABAP and Java, contain a message server and are therefore affected.

It does not matter which path (via ABAP or via Java) you follow on the Service Marketplace (http://service.sap.com/swdc) to find the patch file SAPEXE.SAR containing the message server. Just check to get the right version (for release 7.20: patch >= 402).

Here is the direct link for ABAP:

-> … ->

SAPEXE_402-10007259.SAR Kernel Part I (for Basis 720/702) 

The info file shows the note:

[...]
( 0.401) VMC: check shared GC number during cloning (note 1793845)
( 0.401) ALV Gridview: signal 8, division by zero (note 1807939)
( 0.402) Potential remote code execution in Message Server (note 1800603)
( 0.402) Rolling Kernel Switch: endless loop in message server (note 1810932)
[...]

You can use the message server from 7.20 for a system with a kernel running on 7.00, 7.01, 7.10, or 7.11, however, although this will work from a technical point of view it is not officially supported by SAP.

If you just update the message server keeping the main part of the kernel, the EarlyWatch Alert / RSECNOTE will keep on showing an alert for ABAP systems concerning note 1800603. Unfortunately the EarlyWatch Alert / RSECNOTE can only check the patch of the main part of the kernel (disp+work) but not the patch of the message server (msg_server). The tool simply assumes, that both parts are on the same level. Therefore we suggest that after verifying the patch of the message server you can set the recommendation within RSECNOTE manually to green. This manual setting is used by the EarlyWatch Alert later on.

Show patch level of main part of Kernel (disp+work):
Transaction SM51 -> Goto -> Server Name -> Information -> Release Notes

Another option is to execute disp+work.exe -v on operation system level (or in report RSBDCOS0).

Show patch level of Message Server (msg_server):
Transaction SMMS -> -> Goto -> Release Notes

Another options are to submit report RSMONREL_ALV or to execute msg_server.exe -v on operation system level (or in report RSBDCOS0).

Show patch level of Gateway (not relevant here, just to be complete):
Transaction SMGW -> Goto -> Release Notes

b) Note 1785761 BC-MID-RFC - Missing authorization check in RFC

SAP treats this vulnerability as very critical (CVSS Base Score = 9, Priority = HotNews) mainly because of the following:

• Usually many or most of all employees of a company have network access and user accounts to connect to business systems because of employee self-services
• Without a strong authorization concept concerning remote access via RFC, potential attackers have many options to prepare an attack

A system is only affected if the ABAP software component SAP_BASIS has release 7.00 or 7.01 and  the kernel (disp+work) runs on 7.20 or 7.21.

There is no workaround: To solve the issue you have to update the kernel.

The correction restores the normal authorization check for remote access based on authorization object S_RFC.

The note is mainly important if you have implemented a strong authorization concept concerning S_RFC – which is strongly recommended by SAP.

On the other hand: If you have been lazy concerning S_RFC in the past, e.g. if all or most employees have full access anyway (S_RFC with FUGR=*), that you first should do your homework on the authorization concept.

SAP recommends careful testing of RFC scenarios because the following could have happened: Let’s assume you are using the affected combination of ABAP and kernel for while now. If you have implemented new RFC scenarios in the meantime, this could mean that you don’t have provided proper authorizations for S_RFC without noticing it. With the upgrade of the kernel these remote scenarios could fail.

You find more information about RFC security in the next chapter including tips and tricks how to use the workload statistics to analyze RFC calls before (to validate the authorizations for S_RFC) and after the upgrade of the kernel.

5. RFC Security in general

Remote access via RFC is controlled by authorization object S_RFC on the server side and by authorization object S_ICF on the client side (if this is an ABAP system).

In addition to the normal usage of stored credentials (userid and password) you can use Trusted RFC to get rid of the stored password in some scenarios. Trusted RFC is controlled by authorization object S_RFCACL on the server side.

You can encrypt the communication channel using Secure Network Communication (SNC).

Using Transaction SUIM you can search users (report RSUSR002), roles (report RSUSR070), or profiles (report RSUSR020) having full authorizations concerning authorization object S_RFC.

Enter S_RFC for field "Authorization Object" and use the value #* (which represents authorization field value *) for field "RFC_NAME". Dont use wrong values like * or '*' or #**.
Tipp: If you don't get a result this way you should look out for correction notes about RSUSR002, e.g. note 1654478.

Here is a collection of useful blogs and presentation about securing RFC:

Online help: Creating an Authorization Concept for RFC

http://help.sap.com/saphelp_nw73/helpdata/en/48/8d1a3cae444e6ee10000000a421937/frameset.htm

Online help: Authorization Object S_RFC

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/8d1bd1ae444e6ee10000000a421937/frameset.htm

Online help: Authorization Object S_ICF - Controlling Access to RFC Destinations

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/9668140eec3987e10000000a421937/frameset.htm

Online help: Authorization Object S_RFCACL

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/8d1c6eae444e6ee10000000a421937/frameset.htm

Blog: Securing RFC Connections (2004)

http://scn.sap.com/docs/DOC-17089

Blog: How to get RFC call traces to build authorizations for S_RFC for free!

http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free

This Blog references to the report ZRFC_STATRECS_SUMMARY which can be used to analyze RFC connections and RFC authorizations.

http://wiki.sdn.sap.com/wiki/display/Snippets/Show+RFC+Workload+Statistic+to+build+authorizations+for+authorization+object+S_RFC

Presentation from Teched 2012: SIS264 Securing Remote Access within SAP NetWeaver AS ABAP including SNC and SSL

https://service.sap.com/~sapdownload/002007974700000084412013E/

6. Message Server security in general

In addition to the security vulnerability solved by note 1800603 we like to point your attention to the security configuration options of the message servers.

The message server is used for two distinct scenarios:

• clients logon to application servers via the message server
• application servers register themselves at the message server 

To prevent unwanted clients pretending to the message server to be application servers, you can use parameter rdisp/msserv_internal as described in note 1421005.

Note 1421005 Secure configuration of the message server

https://service.sap.com/sap/support/notes/1421005

Online help: Monitoring and Administration of the SAP Message Server

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/47/c2e77bb8fd3020e10000000a42189d/frameset.htm

Online help: Security Settings for the SAP Message Server

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/47/c56a6938fb2d65e10000000a42189c/frameset.htm

Mit freundlichen Grüßen / Kind regards
Frank Buchholz
Active Global Support - Security Services
mailto:securitycheck@sap.com

Security Optimization Service
https://service.sap.com/sos
Security Patch Process FAQ
https://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
Security Notes
https://service.sap.com/securitynotes
System Recommendations for Security Notes
https://service.sap.com/sysrec
Configuration Validation
http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home

Community / Forum / Blogs @ SCN
Security
http://scn.sap.com/community/security
Identity Management
http://scn.sap.com/community/netweaver-idm
Governance, Risk, and Compliance
http://scn.sap.com/community/grc

1. Where do I find SAP Security Notes?

See https://service.sap.com/securitynotes

You can find another FAQ showing additional aspects on security notes there, too.

This page shows security notes published by SAP. To find security notes about other components like the operation system, network or the database you should scan other sources like NIST, too.

2. Where do I find an overview about security services including the management of security notes?

See https://service.sap.com/sos -> Media Library -> AGS Security Services

You can view the documents "Arbeitspapier SAP Security Patch Day" (German) or "Working Paper SAP Security Patch Day" (English), too.

3. Where do I find information about the application “System Recommendations”?

See https://service.sap.com/sysrec

4. Where do I find information about the application “Configuration Validation”? 

See http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home

5. There are so many security notes which are relevant for my systems. How should I start implementing them?

In case of ABAP based system start with the selected notes which are checked by the EarlyWatch Alert and shown by the tool RSECNOTE (do not distinguish between the priorities red= HotNews and yellow=others). Continue with the very high and high priority notes shown by the application “System Recommendations”.

In case of non-ABAP systems use the application “System Recommendations” to find required security notes.

6. What is the difference between the various lists of security notes?

All security notes are published on the Service Marketplace. Different applications show different selections of security notes.

• The complete list of all SAP security notes is shown on the page /securitynotes -> Security Notes Search in the Service Marketplace
• The page /securitynotes -> my Security Notes in the Service Marketplace shows notes according to the defined filter. We recommend to use this option only if your systems are registered in the Service Marketplace to get an automatic filter. The filter does not consider if a note is already applied in the system.
• The application System Recommendations in the SAP Solution Managers shows these security notes which are relevant for a given system according to the installed software components, release, support package and patch level and if the note if already installed using the ABAP Note Assistant.
• The EarlyWatch Alert report and the corresponding tool RSECNOTE show selected strong recommendations from Active Global Support concerning security HotNews and other important notes which are relevant for a given system

7. There are quite different security notes. How should I start classify them to optimize the implementation process?

We suggest that you classify the notes into following groups each building a separate work list for implementing security notes. Do not forget the 4^th group.

1. Implementation as part of a monthly standard patch process
   e.g. for ABAP Correction Instructions or ABAP software-like manual corrections
2. Implementation as part of a project
   e.g. for notes about other components or other manual instructions
3. Implementation as part of maintenance activities
   e.g. Support Package upgrade, Kernel upgrade, Java upgrade
4. Implementation after maintenance activities
   e.g. manual instructions which require a Support Package upgrade or Kernel upgrade as a prerequisite

8. What are the main steps which should be covered by a monthly security patch process?

We suggest to run following steps as part of a monthly security patch process:

• At the end of the SAP Security Parch Day you can inspect the updated list of Security Notes on the page /securitynotes in the Service Marketplace. Here you see the complete list of all Security Notes.
• Use the application System Recommendations to check which of the Security Notes are relevant for the various systems of your system landscape. (Usually you have scheduled the check as a background job, therefore you check the results e.g. on Wednesday.) You can create change requests directly from that tool.
• The EarlyWatch Alert report and the corresponding tool RSECNOTE show strong recommendations from Active Global Support concerning HotNews and other important notes which are relevant for a given system. Usually you create and check these reports at the beginning of the next week.
• Whichever source of information you use (we propose to use all of them), you will run a Risk Assessment concerning the criticality of the Security Note as well as concerning the risk of applying a  change which might touch productively used business processes. As a result you decide which Security Notes should be applied as part of a monthly patch cycle and which will be part of the next maintenance cycle.
• Using the application Configuration Validation you can create a report which checks which systems comply with your security policy. Therefore you add all notes which should be installed into the target system definition of the Configuration Validation.
• Within the current month you apply the selected Security Notes and you run regression tests (if necessary) to ensure productively used business processes are working properly.
• As part of the next maintenance cycle you will update the Kernel, apply Java Patches and ABAP Support Packages. As part of this update you will get the corrections of the Security Notes, too. However, some of the Security Notes describe configuration changes which you can apply now as well. While working on the update it might be the case that you will get new Security Notes from newer Patch Days. You should include these if possible. Finally you run a complete test of your business processes.

9. I’m responsible for many ABAP based systems. How can I create a cross-system report on the results of the EarlyWatch Alert check shown by the tool RSECNOTE?

There are several options to produce a cross-system report:

• Schedule RSECNOTE as a background job sending the result via email to a central mailbox. See https://service.sap.com/sos -> Media Library -> RSECNOTE: How to send results using mail
• Use the code-exchange report ZSECNOTE_CENTRAL to produce a cross-system report. This reports calls RSECNOTE via RFC in several systems, and shows the collected results on a list. You can download selected notes into the local system and you can trigger the implementation via transaction SNOTE. You can navigate to SNOTE for remote systems as well.   
  See https://cw.sdn.sap.com/cw/groups/cross-system-check-for-security-notes
• The application Configuration Validation in the SAP Solution Manager offers cross-system views on missing Security Notes, too. One of the predefined reports use the recommendations from RSECNOTE to view missing notes.

10. I’m responsible for many systems (ABAP and non-ABAP). How can I create a cross-system report on the results of the application System Recommendation?

There are several options to produce a cross-system report:

• Export the list shown by the application System Recommendations to Excel and combine the results from different systems
• Use the code-exchange report ZSYSREC_NOTELIST to produce a cross-system report. This reports simply shows the already existing results of System Recommendations on a list.
  See https://cw.sdn.sap.com/cw/groups/cross-system-check-for-security-notes
• As of SAP Solution Manager 7.10 SP 3 you can use the built-in BW reporting capabilities of the application System Recommendations

11. Do I have to implement security notes for all components which are installed in a system even if I do not use any function from a component, e.g. FI notes in an HR system?

Yes, if a software component exist in a system than it has to be fixed even if you do not use the function. The reason for this is simple: An attacker might be able to misuse the security vulnerability. Well, in case of unused components you can implement the note using reduced tests as you only need to test productively used business processes.

There exist an exception: Often you cannot implement notes for switched components like industry add-ons if the switch is not active. Omit such notes it they fail in transaction SNOTE. Usually you find a hint in the note describing that a switched component gets patched. Here's the list of software components having candidates of such notes:

ECC-DIMP

FI-CA

FI-CAX

INSURANCE

IS-CWM

IS-H

IS-M

IS-OIL

IS-PS-CA

IS-UT 

12. How to test the implementation of security notes?

You do not need to test if the security vulnerability is solved – this is the task of SAP – however, you should test if your productively used business processes are still working. Here are some (insufficient) tips:

• Some notes describe that obsolete but critical functions get deactivated. In such a case you can implement the correction directly
• Some notes describe corrections about authorization checks. Have a close look to the correction instruction to identify the authorization object to decide if you have to run tests for users who should have or not should have authorizations for this authorization object.
• Have a close look to the correction instruction to identify the report, program, function etc. which gets touched by the correction.   
• As of SAP Solution Manager 7.10 SP 5 you can use the integration between the application System Recommendations and the Bussiness Process Change Analyzer (BPCA) to identify business process steps which might be affected by a note.

13. How to find prerequisite notes which will be implemented prior to the implementation of a ABAP security note?

You have to start the process of implementing a note using the SAP Note Assistant to get detailed information about prerequisite notes. Have a close look to these prerequisite notes to find additional manual correction instructions which are mandatory.

14. What should I do if I run into trouble while implementing a security note?

Please create a support ticket on the component of the note.

15. Can I use the same transport containing security note corrections for all systems?

No, you have to implement every security note independently in every DEV-TST-PRD transport landscape.

16. Can I automatically implement security notes using the application System Recommendation? Is there any remote-implementation function within System Recommendations?

No, you have to implement every security note manually in every DEV-TST-PRD transport landscape. If you are responsible for many DEV systems than you have to implement notes several times.

As of SolMan 7.1 SP 5 you can ease the first step of the implementation, as it's now possible to select notes in System Recommendations and download them automatically into the Note Assisant of a DEV system.

17. The security note forces me to modify repository objects manually (dictionary object, programs, messages, etc.) but this requires developer skills, a registration key and produces some trouble during the next support package upgrade. What should I do?

[I’ve no good answer yet. At least I always would omit the modification of messages - than you would get just the message number but not a text, however, I believe that's better than modifying repository objects.]

18. The page SMP at /securitynotes and the application System recommendations show a different (earlier) date for notes that the report RSECNOTE. What is the meaning of these different dates?

• On the SMP at /securitynotes and within the application System Recommendations you see the date "Published as Security Note". This is the date since when you can see and use the note.
• RSECNOTE shows a different date showing the month and year of "Published by RSECNOTE". This is the month during which the note was added to the EarlyWatch Alert and RSECNOTE check. You see that this is sometimes the same month like the date when the note was published on the SMP, but for some notes it is much later. It seems that RSECNOTE is 'lazy' sometimes ...

19. Do I need special handling of "Update Security Notes"?

Update notes describe or contain extensions or corrections on original notes. Depending on the type of the note you can optimize the handling of these notes - especially if you are using the tool RSECNOTE or the application System Recommendations as these tools automatically consider changed original notes:

• If the update note describes that an original note was extended or updated you can ignore the update note as the tool RSECNOTE or the application System Recommendations will show the original note again.
  Usually such update notes are marked as "SP independant" in the application System Recommendations. Switch to the software component view to see this classification.
• If the update note contains the extension or correction, well, than you can treat such an update note as any other note: implement it according to your security patch policy. RSECNOTE will show the note if it's relevant for the system (and if the note is part of the EarlyWatch Alert check at all). System Recommendations will show the note as "SP specific" if it's relevant for the system.

20. Do I need special handling to find security related SAP notes concerning the database (or other areas which are not directly related to ABAP or Java)?

Let's have a look to an example: If you search at https://service.sap.com/notes for notes containing the term "CVE" within the application component BC-DB-ORA, than you'll find some security related notes for the database (1753297, 1714255, 1714667) which are not SAP Security Notes listed at https://service.sap.com/securitynotes. Using the search term "security" you find more notes, e.g. 1710997, 157499, showing important information about security aspects of the database. Therefore you should keep on looking at https://service.sap.com/notes and you should not forget to scan other sources like NIST to find security notes about the the operating system, network components or the database etc.

21. How do I use the Note Assistant, transaction SNOTE, efficently?

Preparation:

Get the latest version of the Note Assistant (see http://service.sap.com/note-assistant ) and watch out for correction notes about the Note Assistant which belong to the application component BC-UPG-NA.

Tipp:You can use the application System Recommendations to search for correction notes of this component as well.

1. Step: Create Worklist

a) If you go the selected list of notes checked in the EarlyWatch Alert:
Submit report RSECNOTE (via transaction SA38 or ST13)
Collaps the list using the small box left of the text 'Missing recommendations'
Copy the note numbers using Ctrl+Y / Ctrl+C

b) If you go for all relevant notes:
Use the application System Recommendations to produce the worklist, e.g. using the user-status filter and the export-to-Excel feature. Finally put a list of notes into the clipboard.

2. Step: Download Notes

Call transaction SNOTE -> Download SAP Note (Ctrl+F8) or submit report SCWN_NOTE_DOWNLOAD
→ Multiple Selection
→ Upload from Clipboard (Shift+F12)
Go back and start the download

3. Step: Install Notes

Call transaction SNOTE -> SAP Note Browser (Ctrl+F9) or submit report SCWN_NOTE_BROWSER
→ Multiple Selection
→ Upload from Clipboard (Shift+F12)
Go back and save the selection as a report variant
Start the implementation

You know the Secure Programming Guidelines but you want to do more?

Well, here are my top priority security recommendations for developing secure ABAP applications:

New database tables

Assign a table authorization groupwhich enables the authorization check for the authorization object S_TABU_DIS within transaktions like SE16 or SM30.
You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings.
Use transaction SM30 for view V_BRG_54 to maintain authorization groups respective view V_DDAT_54 to maintain authorization group assignments.

Maintain authorization groups
http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134d2407a11d1893b0000e8323c4f/frameset.htm

Maintain authorization group assignments
http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134df407a11d1893b0000e8323c4f/frameset.htm

Set the maintenance flag which controls SE16 and SM30 correctly

Data Browser/Table View Maintenance
http://help.sap.com/saphelp_nw70/helpdata/en/a6/03883acb00d768e10000000a114084/content.htm

Activate table logging for customizing table or create a change document object for master data. You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings. Check the settings of profile parameter rec/client and the tp parameter RECCLIENT, too.

Activate/Deactivate Table Change Logging 
http://help.sap.com/saphelp_nw70/helpdata/en/7e/c81ebb52c511d182c50000e829fbfe/frameset.htm

Note 1916 Logging table changes in R/3 
https://service.sap.com/sap/support/notes/1916 | https://service.sap.com/sap/support/notes/1916

Note 84052 R3trans: Table logging
https://service.sap.com/sap/support/notes/84052 | https://service.sap.com/sap/support/notes/84052

Create specialized SM30 maintenance views instead of offering maintenance using SE16 and add additional authorization checks if required.

Create a Maintenance Dialog
http://help.sap.com/saphelp_nw70/helpdata/en/a1/e4521aa2f511d1a5630000e82deaaa/frameset.htm

Event 25: At the Start of the Maintenance Dialog
http://help.sap.com/saphelp_nw70/helpdata/en/c2/703037301f327ae10000009b38f839/frameset.htm

New transactions

If the transaction is a report transaction and you have decided that the authorization check for the transaction is important: Check the authorization again using function AUTHORITY_CHECK_TCODE within the code of the report.

New Web UI

See Secure Programming Guide chapter “Secure User Interface”
http://help.sap.com/saphelp_nw70/helpdata/en/58/4d767ed850443c891ad27208789f56/frameset.htm

Critical ABAP statements

Have a close look at critical ABAP statements. You can use the Code Inspector, transaction SCI, to search for such statements in custom code.

INSERT REPORT / GENERATE SUBROUTINE POOL
These statements allow to create arbitrary code. Avoid anything which would enable users to inject ABAP code.

INSERT REPORT
http://help.sap.com/abapdocu_70/en/ABAPINSERT_REPORT.htm

GENERATE SUBROUTINE POOL
http://help.sap.com/abapdocu_70/en/ABAPGENERATE_SUBROUTINE_POOL.htm

CALL TRANSACTION
The statement CALL TRANSACTION does not check the authorization of the current user to execute the called transaction automatically. To do this, either the calling (preferred) or the called program must call function module AUTHORITY_CHECK_TCODE. You can replace CALL TRANSACTION by calling function ABAP4_CALL_TRANSACTION, too. This function executes all neccessary authorization checks.

CALL TRANSACTION
http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm

CALL 'SYSTEM'
This statement sends operation system commands to the application server which are then executed by the powerfull user

CALL SYSTEM
http://help.sap.com/abapdocu_70/en/ABAPCALL-.htm

Generic functionality

Avoid developing generic functionality which enables the user to choose any target table, file, report or transaction. Have a close look to these statements:

• Generic access to tables using SELECT … FROM (variable)
  http://help.sap.com/abapdocu_70/en/ABAPFROM_CLAUSE.htm
• Generic access to files using OPEN DATASET variable
  http://help.sap.com/abapdocu_70/en/ABAPOPEN_DATASET.htm
• Generic execution of reports using SUBMIT (variable)
  http://help.sap.com/abapdocu_70/en/ABAPSUBMIT.htm
• Generic execution of transactions using CALL TRANSACTION variable
  http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm