About the TMSADM user
TMSADM is a system user created on all ABAP systems in client 000 when Transport Management System (TMS) is configured. The TMSADM user is used for transfers through the transport system. It is created automatically upon configuration of Transport Management System (TMS) via the 000 client. TMSADM is a system user with authorizations limited to a certain display and TMS configuration activities. TMSADM has display authorizations for the following:
- system properties
- transport configuration
- transport logs and data files (content of transport requests)
- import queues
TMSADM is a communication user because it is used for the distribution of transport configuration changes to systems of the current transport domain. In other words, user TMSADM enables you to distribute the basic configuration to all SAP systems in the domain on the domain controller and to display the import queue. The default profile for the user is S.A_TMSADM which enables to utilize RFC-functions within the GUI and to write to a file system. You must never extend this profile or add a profile or role of your own to the user.
As other default users, TMSADM has a default password.
Understanding the risk of TMSADM Default Password
As noted in the previous paragraph, the default password of the TMSADM user is well known and can thus easily be guessed. After correctly guessing the password, an adversary may remotely start RFC requests to perform critical actions such as deleting and reading files (EPS_DELETE_FILE, EPS_OPEN_FILE2) or may execute arbitrary ABAP code through the RFC_ABAP_INSTALL_AND_RUN or TTMS_CI_START_SERVICE function vulnerabilities. Furthermore, using BAPI_USER_CREATE1 and SUSR_RFC_USER_INTERFACE requests an adversary may create a dialog user and consequently enter the system with unlimited access to business data.
To properly check the password of TMSADM through SAP GUI, you can use report RSUSR003. It is used to make sure that the TMSADM user has been created and that the default password has been changed for this user.
How to protect TMSADM?
To change the password of user TMSADM, proceed as follows:
- Log on to the Domain Controller in client 000.
- To do this, execute the TMS_UPDATE_PWD_OF_TMSADM program with the ABAP Editor (transaction SE38).
- Enter a password.
The selected password must correspond to all of the compatibility rules of all the systems involved.
- Start the program.
The program runs through the following phases:
- Logon to each SAP system involved. The test users and test destinations are created.
- Check the connections created.
- Change the password of all TMSADM users in the own domain and in all TMSADM destinations involved (cross-domain, if necessary).
- Delete the test users and test destinations.
- At the end of this program run the system displays a log and the individual program steps. You can redisplay this log at any time.
The password of the TMSADM user is changed in the own domain. The related entries in the RFC destinations of the own and connected domains were adapted. The content of the secure storage was updated for the password.