Published on the 15/02/2022 | Written by Heather Wright

Key SAP tech component vulnerable…

SAP and the US Cybersecurity and Infrastructure Security Agency are urging organisations to quickly apply security updates after critical vulnerabilities were identified in SAP’s Internet Communication Manager (ICM) – a key component of SAP’s technology stack.

SAP released a raft of security notes in the wake of vulnerabilities found by cybersecurity research company Onapsis Research Labs last week, with Onapsis saying the discovery requires ‘immediate attention by most SAP customers given the widespread usage of the vulnerable technology component in SAP landscapes around the world’.

The vulnerabilities, which could enable attackers to trick SAP servers into exposing data without the need to authenticate, affect multiple products, including ‘critical vulnerabilities’ affecting SAP applications using SAP ICM, CISA says. 

“A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation.”

ICM is a key component of an SAP Netweaver application server and is present in most SAP products. It is critical to the overall SAP technology stack, Onapsis, which is working with SAP, says, enabling HTTP(S) communications. Potentially vulnerable applications include SAP ERP, Business Suite, S/4Hana and SAP Enterprise Portal. 

SAP’s February Patch Day announcement had eight security notes with a CVSS ranking of 10 – making them critical to patch – including CVE-2022-22536, which relates to the HTTP Response Smuggling. (Another three, all with a CVSS of 10, related to Log4j vulnerabilities.)

The Onapsis report says attackers could use the vulnerabilities in the ICM to exploit and hijack arbitrary SAP user’s requests including sessions, and take over the SAP application. 

“In addition, using the HTTP Response Smuggling techniques… attackers could control responses sent by the SAP application and persist th attack. This means that with a single request and attacker could be able to steal every victim session and credentials in plain text and modify the behaviour of the applications,” Onapsis says.

The combination of two vulnerabilities makes it possible to compromise systems regardless of the use of proxies, the company says. 

“A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation.”

In a blog post, Vic Chung, SAP director of security response, says SAPs Product Security Response team collaborated with Onapsis Research Labs to discover and patch three critical memory corruption vulnerabilities that have affected the ICM.

“SAP patched these vulnerabilities promptly as ICM is a core component of SAP business applications,” the blog says. 

While SAP released three patches for all impacted systems, Onapsis has provided a free open-source vulnerability scanner tool to assist customers affected to immediately address the issues. 

“If your organisation was impacted at all, SAP and Onapsis have advised users to prioritise applying Security Note 3123396 [CVE-2022-22536] to the affected SAP applications immediately.”

SAP says if an organisation’s program was exploited, the vulnerabilities, dubbed ICMAD by Onapsis, will enable attackers to execute ‘serious malicious activity on SAP users, business information and processes’.

CISA says organisations could experience theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware and halt of all operations.

Reports suggest there is no evidence of the vulnerabilities having been exploited as of late last week. 

Onapsis’ researchers discovered the vulnerabilities as part of its current research into vulnerabilities, exploits, threat actors and attack methodologies relating to business critical applications, such as those from SAP and Oracle. 

The company has been investigating HTTP Response Smuggling, leading to the discovery of the SAP vulnerabilities.  

Mariano Nunez, Onapsis CEO and co-founder, says recent threat intelligence shows threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks.

“The discovery and patching of the ICMAD vulnerabilities, as well as those previously identified by Onapsis Research Labs, such as RECON and 10KBLAZE, are essential to protecting the business critical applications that power 92 percent of the Forbes Global 2000.”