Immediate Patching Required to Fix Critical SAP Vulnerabilities

Share this article on:

The German business software provider SAP has released patches to fix a set of critical vulnerabilities that affect SAP applications that use the SAP Internet Communications Manager (ICM). The vulnerabilities were identified by researchers at Onapsis Research Labs, who dubbed the flaws ICMAD (Internet Communications Manager Advanced Desync). All three of the flaws could be exploited to achieve remote code execution, which would allow remote attackers to fully compromise vulnerable SAP applications.

The vulnerabilities affect the following SAP applications:

  • SAP NetWeaver AS ABAP
  • ABAP Platform
  • SAP NetWeaver AS Java
  • SAP Content Server 7.53
  • SAP Web Dispatcher

The flaws could be exploited to steal victim sessions and credentials in plaintext, change the behavior of applications, obtain PHI and sensitive business data, and cause denial-of-service. The vulnerability CVE-2022-22536 is the most serious of the three and has been assigned the maximum CVSS severity score of 10/10. Onapsis said the flaw can be easily exploited by an unauthenticated attacker on SAP applications in the default configuration by sending a single request through the commonly exposed HTTP(S) service.

When business applications allow HTTP(S) access, the most common configuration is for an HTTP(S) proxy to be sitting between clients and the backend SAP system, and this configuration allows the flaw to be exploited. The second vulnerability, tracked as CVE-2022-22532 (CVSS 8.1) can also be exploited in this configuration, and even in the absence of proxies. The third vulnerability, tracked as CVE-2022-22533 (No CVSS score at present) can also lead to remote code execution.

The vulnerabilities were identified while researching HTTP smuggling techniques, which the researchers determined could be leveraged using requests that closely mirror legitimate HTTP requests. As such, these attacks would be difficult for security teams to detect. Further, the vulnerabilities are also very easy to exploit.

SAP applications are extensively used by businesses, including in the healthcare industry. When vulnerabilities are discovered, they are quick to be exploited by hackers to gain access to applications to steal data or cripple business systems. Oftentimes, the first exploits of SAP vulnerabilities occur within 72 hours of patches being released.

SAP applications are used to manage business processes and in healthcare, the applications often contain protected health information. Vulnerabilities in SAP applications could therefore be exploited to steal patient data.

SAP and Onapsis have urged all businesses using vulnerable SAP applications to apply the patches immediately to prevent exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory about the vulnerabilities urging immediate patching. Organizations should prioritize patching affected systems that are exposed to untrusted networks, such as the Internet. Onapsis has released a free, open source scanning tool that can be used by businesses to discover if they are vulnerable to ICMAD exploits.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On