Earlier this year, Onapsis Research Labs and the SAP Product Security Response Team (PSRT) collaborated to discover and fix three critical vulnerabilities affecting SAP Internet Communication Manager (ICM), a core component of SAP business applications. Dubbed ICMAD, Onapsis continues to monitor exploit activity surrounding these vulnerabilities (and others) to ensure SAP customers are protected.
Download the report: Onapsis and SAP Partner to Discover and Fix Critical ICMAD Vulnerabilities
On August 18, 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA) added one of these critical SAP vulnerabilities – CVE-2022-22536 – to its Catalog of known exploited vulnerabilities (KEV). Although federal civilian agencies are bound by CA 22-01 To address all applicable vulnerabilities in the KEV, CISA strongly recommends that all organizations consider prioritizing actions immediately if they have not already done so.
Onapsis Research Laboratories continuously monitors for vulnerabilities, especially as critical as these, even after the release of security patches in February 2022. The team continues to assess and analyze security issues in critical SAP components. At this time, we do not have conclusive data on the number of organizations that have actually implemented the patches. However, the joint campaigns we ran six months ago with SAP, along with the warnings CISA and other CERTs helped underline the importance of acting in a timely manner, implementing the patch/l mitigating and ultimately preventing a breach.
ICMAD: Critical Vulnerabilities Exploitable by the Network
More than 400,000 organizations, including 90% of Fortune 500 companies, rely on software from SAP to keep their businesses running smoothly. At the heart of every SAP deployment is SAP Internet Communication Manager (ICM), the software responsible for managing all HTTP requests and responses. ICMAD vulnerabilities are particularly critical because the issues exist by default in SAP Internet Communication Manager (ICM).
The ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 – the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. CVE-2022-22536 can be abused to compromise any Java or ABAP application based on SAP NetWeaver with default configurations. This can be achieved using a single request via the commonly exposed HTTP(S) service, and no authentication is required.
The potential impact on the business can be enormous, which makes CISA inclusion of CVE-2022-22536 in KEV so critical. Successful exploitation of the vulnerabilities could allow an attacker to perform several malicious actions affecting the business, including:
- Misappropriation of user identities, theft of all user credentials and personal information
- Exfiltration of sensitive or confidential company information
- Fraudulent transactions and financial harm
- Changing bank details in a financial recording system
- Internal denial of service attack that disrupts critical business systems
Next steps to follow
Onapsis Research Labs recommends analyzing the impact that the issues described above may have on your landscape (especially if you have SAP systems exposed to the Internet or untrusted networks) and applying the notes as soon as possible . For additional guidance on available workarounds for these vulnerabilities, SAP customers should review the References and workarounds section in the Relevant SAP Security Notes.
For our customers, the Onapsis platform includes vulnerability assessment capabilities, detection rules, and alarms to continuously monitor malicious activity targeting these specific vulnerabilities and thousands more. Onapsis customers who have Onapsis Assess and/or Onapsis Defend (Ver 2.2022.021 or higher) are already armed with analytics, monitoring, and alerting tools at their disposal to help protect their SAP landscape
Onapsis Research Laboratories have created a free vulnerability scanning tool which will allow any SAP customer to scan the applications in their SAP landscape that are affected by these vulnerabilities.
All ICMAD vulnerabilities continue to pose a critical risk to all unprotected SAP applications that are not patched with corresponding patches. SAP Security Notices. Without taking prompt action to mitigate the risk, it is possible for an unauthenticated attacker to completely compromise any unpatched SAP system.
These ratings are rated with the highest CVSS scores and affect commonly deployed components in several widely deployed SAP products. This is partly because the affected components, by design, are intended to be exposed to the Internet, which greatly increases the risk that an attacker, with access to the HTTP(S) port of a Java system or ABAP, can support applications and, in some circumstances, even the host operating system.
Previous threat intelligence from SAP, CISA and Onapsis demonstrated that attackers have the knowledge, technology and sophistication to launch complex attacks directly against critical applications such as SAP. Typically, we see attacks begin within 72 hours of an SAP Security Notice being issued.
These vulnerabilities potentially provide easy entry for malicious actors. CISA, SAP, and Onapsis urge all affected organizations to implement these security notices as soon as possible, prioritizing affected systems exposed to untrusted networks.