Search QuantityWare

Why should I retire my SAP Oil, Gas and Energy “CALL SYSTEM” “API-C” usage?

As described in the blog article “Complete compromise of an SAP system” (SecurityBridge Group 2024), if one member of the “Operating System – Database – SAP System” trio falls, they all fall.
Gaining access to “rsbdcos0” is named as a method by which operating system calls could be executed by a SAP user, but why bother when “CALL SYSTEM” is being used?
“CALL SYSTEM” can be used in a legacy SAP Oil, Gas, and Energy (SAP OG&E) system environment to execute external files (generally referred to as “API-C” calculations) creating risk of an uncontrolled “bridge” within an ERP-level SAP OG&E system to trigger operating system (OS) – level executable files. This is of serious concern for the following reasons:

  • As defined in the SAP Note 23697 from 1996, ““call system” should not be used and is not released by SAP for customer applications
  • The “SAP Code Vulnerability Analyzer” defines “CALL SYSTEM” usage as a serious vulnerability
  • If external executables are being used, every SAP user performing business processes involving SAP OG&E bulk materials, must have the “CALL SYSTEM” authorization – i.e. the ability to execute programs at the OS level as the SAP system – not the user themselves
  • OS access is required and files must be installed and maintained at the OS-level raising security complexity
  • OS dependency prevents migration to alternative operating systems or usage in hosted / cloud environments
  • Calculation results can be OS- and / or compiler-dependent
  • One executable represents a single historical standard
  • Obfuscation – the content of a compiled executable is not transparent
  • Many such implementations require excessive BAdI usage (custom ABAP-code), which is difficult to control and maintain
  • Executable maintenance and management causes process complexity and error – it has been known for “the wrong executable” to have been used in productive systems
  • No automated SAP OG&E-internal validation methods are available for the results of such calculations, e.g. during lifecycle events (upgrade / CSP application / platform transferal, etc.)

For all the above reasons, we urge SAP Oil, Gas, and Energy system owners to migrate from operating-system-level dependent calculations to ERP-internal calculations, using our BCP product as described in our Legacy Implementation Manual.

As described in the “QuantityWare Security Bulletin – Cyberattack Risks for Oil and Gas Companies”, a comprehensive solution is required to meet modern GRC expectations and security requirements around SAP Oil, Gas and Energy systems.

Categories: BCS General FAQs | BCS Security & GRC FAQs

Back to FAQs

Search FAQ