- The Cybersecurity and Infrastructure Security Agency is urging administrators to apply security updates to critical vulnerabilities in SAP's Internet Communication Manager, after researchers warned that attackers could take full control of a compromised system.
- ICM is a key component of SAP Netweaver application server, critical to the overall SAP technology stack, researchers from Onapsis, working with SAP, said. Potentially vulnerable applications include SAP ERP, SAP Business Suite, SAP S/4HANA and SAP Enterprise Portal.
- CISA said the vulnerabilities could result in a range of attacks, including sensitive data theft, financial fraud, ransomware, disruption of mission critical functions or even operations shutdown. Onapsis released an open source tool to allow organizations to scan their SAP systems.
Onapsis researchers discovered the vulnerabilities following extensive research in 2021 over a technique called HTTP Response Smuggling, according to JP Perez-Etchegoyen, CTO at the security firm. Using the technique, attackers could control responses sent by a SAP application and enable the attack to persist.
"This means that with a single request, an attacker could be able to steal every victim session and credentials in plain text and modify the behavior of the applications," Perez-Etchegoyen said in an email.
There is no evidence the vulnerabilities have been exploited in the wild, he added, but recently active threat groups like Elephant Beetle and BlackCat consider business critical applications a lucrative target.
ICM is a component of SAP that enables HTTP(S) communications in the company's systems, Vic Chung, director of security response at SAP, wrote in a blogpost. Because ICM is exposed to the internet and untrusted networks by design, it is highly vulnerable to attack.
Onapsis and SAP said the three vulnerabilities, dubbed ICMAD — Internet Communication Manager Advanced Desync — are identified as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first vulnerability has the highest risk score of 10.
SAP and Onapsis said organizations should apply Security Notes 3123396 and 3123427 to their affected SAP applications right away. Onapsis also released an open source tool to allow organizations to scan their SAP systems for CVE-2022-22536.