The US Cybersecurity and Infrastructure Security Agency (CISA) decided on Thursday to add a critical SAP security vulnerability to his Catalog of known exploited vulnerabilitiesbased on evidence of active exploitation.
The problem in question is CVE-2022-22536which received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022.
Described as an HTTP request smuggling vulnerability, the flaw affects the following product versions:
- SAP Web Dispatcher (Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)
- SAP Content Server (Version – 7.53)
- SAP NetWeaver and ABAP platform (Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT),
“An unauthenticated attacker may preempt a victim’s request for arbitrary data, allowing execution of functions that impersonate the victim or poison intermediate web caches,” CISA said in an alert.
“A simple HTTP request, indistinguishable from any other valid message and without any form of authentication, is sufficient for successful exploitation,” said Onapsis, who discovered the failure, Remarks. “Therefore, it is easy for attackers to exploit and harder for security technologies such as firewalls or IDS/IPS to detect (because it does not present a malicious payload).”
Besides the SAP weakness, the agency added new flaws disclosed by Apple (CVE-2022-32893 and CVE-2022-32894) and Google (CVE-2022-2856) this week as well as bugs related to Microsoft previously documented (CVE-2022-21971 and CVE-2022-26923) and a remote code execution vulnerability in Palo Alto Networks PAN-OS (CVE-2017-15944CVSS score: 9.8) which was disclosed in 2017.
CVE-2022-21971 (CVSS score: 7.8) is a remote code execution vulnerability in Windows Runtime that was addressed by Microsoft in February 2022. CVE-2022-26923 (CVSS score: 8.8), Fixed May 2022, concerns a privilege escalation flaw in Active Directory Domain Services.
“An authenticated user could manipulate the attributes of computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privileges to the system,” Microsoft describes in its advisory for CVE- 2022-26923.
CISA notification, as is traditionally the case, is light on the technical details of in-the-wild attacks associated with vulnerabilities to prevent threat actors from taking further advantage.
To mitigate exposure to potential threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply relevant patches by September 8, 2022.