German enterprise software maker SAP has patched three critical vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP business applications. Customers are urged by both SAP and CISA to address these critical vulnerabilities as soon as possible.
On February 8, SAP released 14 new security notes and security researchers from Onapsis, in coordination with SAP, released a Threat Report describing SAP ICM critical vulnerabilities, CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533. Onapsis also provides an open source tool to identify if a system is vulnerable and needs to be patched.
The most important vulnerability in this report is CVE-2022-22536, one of the ICMAD vulnerabilities. The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server and is present in most SAP products. It is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.
CVE-2022-22536 is a request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This vulnerability scored a CVSS rating of 10 out of 10. The high score is easy to explain. A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation of the vulnerability.
Some of the other “high scorers” are Log4j related vulnerabilities, and a security update for the browser control Google Chromium delivered with SAP Business Client. The other two ICMAD vulnerabilities identified as CVE-2022-22532 and CVE-2022-22533 received scores of 8.1 and 7.5, respectively.
On GitHub Onapsis published a Python script that can be used to check if a SAP system is affected by CVE-2022-22536.
A Shodan scan shows there are more than 5,000 SAP NetWeaver servers currently connected to the Internet and exposed to attacks until the patch is applied.
SAP and Onapsis are currently unaware of any customer breaches that relate to these vulnerabilities, but strongly advise impacted organizations to immediately apply Security Note 3123396 (which covers CVE-2022-22536) to their affected SAP applications as soon as possible.
The Cybersecurity & Infrastructure Security Agency (CISA) warned that customers who fail to do so will be exposing themselves to ransomware attacks, the theft of sensitive data, financial fraud, and disruption or halt of business operations.