ICMAD SAP Vulnerability (CVE-2022-22536) – Critical Risk

SAP stands for System Applications and Products in data processing, the market leader in ERP software, helping some of the biggest names in the business. The application tier is often the heart of the entire SAP ERP system, looking after interfacing with other apps, transactions, jobs, reporting and database access.

What are the ICMAD SAP Vulnerabilities?

Internet Communication Manager (ICM) is one of the important components of an SAP NetWeaver application in most products dealing with HTTP, HTTPS, SMTP protocols related communication. This sits right at the centre of the SAP tech stack found in most Internet-facing SAP applications.

A security research company, Onapsis, released this issue in a threat report citing vulnerabilities SAP CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533.

• CVE-2022-22536 – This is a memory pipes desynchronization vulnerability. MPI (memory pipes) are memory structures used for communication between ICM (Internet Communication Manager) and work processes (ABAP, Java). A simple HTTP request in an unauthenticated scenario could lead to a full system takeover. This explains why its rated CVSS 10.0 rating. 
• CVE-2022-22532 – It is an HTTP request smuggling vulnerability in the ICM existing in the SAP NetWeaver Java systems.
• CVE-2022-22533 – A memory leak that could lead to Denial of Service, affecting SAP Application Server Java systems. Implication of this DoS could be consuming all MPI resources leading to loss of availability for legit users. 

How to check if your organisation is vulnerable to CVE-2022-22536? 

You can perform checks on your organisation if it’s vulnerable using this open-source scanner from Onapsis
https://github.com/Onapsis/onapsis_icmad_scanner
This script performs an unauthenticated check against the presence of CVE-2022-22536 in your SAP applications. These tests can be conducted in various scenarios such as:

• Where an SAP system is without an HTTP proxy or HTTPS proxy
• Where a system is behind SAP Web Dispatcher

Vulnerability assessment for ICMAD SAP vulnerability

Running this script is easy-peasy; point the ICMAD_scanner.py at the target:

python ICMAD_scanner.py -H  -P 

You can also use your favourite scanners such as Tenable plugins as pretty much most of the scanners have scanning capability added this week. 

• CVE-2021-44228 Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce
• Apache Log4j vulnerability affecting various components in SAP dynamic authorization management, Internet of Things Edge Platform, SAP customer checkout, SAP business client with google chromium. It covers CVE-2021-44228, CVE-2021-45046

We have covered Log4j extensively since it was discovered; it’s available at this link below:
https://thecyphere.com/blog/log4j-vulnerability/

Given the severity of this bug, the impacted organisation could suffer various types of cyberattacks such as:

• Sensitive data theft
• Identity theft
• Financial fraud
• Disruption to business operations
• Ransomware

Solution

Get in touch to discuss any security concerns for your business.