SAP customers are urged to patch critical vulnerabilities in multiple products

SAP customers are urged to patch critical vulnerabilities in multiple products

German enterprise software maker SAP has patched three critical vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP business applications. Customers are urged by both SAPand CISAto address these critical vulnerabilities as soon as possible.

On February 8, SAP released 14 new security notes and security researchers from Onapsis, in coordination with SAP, released a Threat Reportdescribing SAP ICM critical vulnerabilities, CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533. Onapsis also provides an open source toolto identify if a system is vulnerable and needs to be patched.

CVE-2022-22536

The most important vulnerability in this report is CVE-2022-22536, one of the ICMAD vulnerabilities. The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server and is present in most SAP products. It is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.

CVE-2022-22536 is a request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This vulnerability scored a CVSSrating of 10 out of 10. The high score is easy to explain. A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation of the vulnerability.

Other vulnerabilities

Some of the other “high scorers” are Log4jrelated vulnerabilities, and a security update for the browser control Google Chromium delivered with SAP Business Client. The other two ICMAD vulnerabilities identified as CVE-2022-22532 and CVE-2022-22533 received scores of 8.1 and 7.5, respectively.

Scan tool

On GitHubOnapsis published a Python script that can be used to check if a SAP system is affected by CVE-2022-22536.

A Shodan scanshows there are more than 5,000 SAP NetWeaver servers currently connected to the Internet and exposed to attacks until the patch is applied.

Mitigation

SAP and Onapsis are currently unaware of any customer breaches that relate to these vulnerabilities, but strongly advise impacted organizations to immediately apply Security Note 3123396 (which covers CVE-2022-22536) to their affected SAP applications as soon as possible.

The Cybersecurity & Infrastructure Security Agency (CISA) warned that customers who fail to do so will be exposing themselves to ransomware attacks, the theft of sensitive data, financial fraud, and disruption or halt of business operations.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.