Skip to main content
close search
site logo
Dive Brief

Critical SAP vulnerabilities spur CISA, researcher pleas for urgent patching

Published Feb. 10, 2022
David Jones's headshot
Reporter
Server room (Sefa Ozel/Getty)
Sefa Ozel/Getty via Getty Images

First published on

Cybersecurity Dive
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency is urging administrators to apply security updates to critical vulnerabilities in SAP's Internet Communication Manager, after researchers warned that attackers could take full control of a compromised system. 
  • ICM is a key component of SAP Netweaver application server, critical to the overall SAP technology stack, researchers from Onapsis, working with SAP, said. Potentially vulnerable applications include SAP ERP, SAP Business Suite, SAP S/4HANA and SAP Enterprise Portal. 
  • CISA said the vulnerabilities could result in a range of attacks, including sensitive data theft, financial fraud, ransomware, disruption of mission critical functions or even operations shutdown. Onapsis released an open source tool to allow organizations to scan their SAP systems.

Dive Insight:

Onapsis researchers discovered the vulnerabilities following extensive research in 2021 over a technique called HTTP Response Smuggling, according to JP Perez-Etchegoyen, CTO at the security firm. Using the technique, attackers could control responses sent by a SAP application and enable the attack to persist. 

"This means that with a single request, an attacker could be able to steal every victim session and credentials in plain text and modify the behavior of the applications," Perez-Etchegoyen said in an email.

There is no evidence the vulnerabilities have been exploited in the wild, he added, but recently active threat groups like Elephant Beetle and BlackCat consider business critical applications a lucrative target. 

ICM is a component of SAP that enables HTTP(S) communications in the company's systems, Vic Chung, director of security response at SAP, wrote in a blogpost. Because ICM is exposed to the internet and untrusted networks by design, it is highly vulnerable to attack. 

Onapsis and SAP said the three vulnerabilities, dubbed ICMAD — Internet Communication Manager Advanced Desync —  are identified as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first vulnerability has the highest risk score of 10. 

SAP and Onapsis said organizations should apply Security Notes 3123396 and 3123427 to their affected SAP applications right away. Onapsis also released an open source tool to allow organizations to scan their SAP systems for CVE-2022-22536.

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Celonis Business Collaboration Networks Drive Process Improvement Across Company Boundaries
From Celonis
October 23, 2024
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Blackpoint Cyber Launches Global Partner Program and Enablement Platform Emphasizing a Focus o…
From Blackpoint Cyber
October 30, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell