SAP Vulnerability (Critical) in business applications – ICMAD SAP CVE-2022-22536 Exploit & Detection
Yesterday, on 8th February, SAP has released security updates to address critical SAP vulnerabilities affecting SAP applications using Internet Communication Manager (ICM). This includes a nasty one, i.e. ICMAD SAP bug, allowing an unauthenticated attacker to exploit the affected applications. This means a successful exploit taking advantage of the weakness could lead to full system takeover.
SAP stands for System Applications and Products in data processing, the market leader in ERP software, helping some of the biggest names in the business. The application tier is often the heart of the entire SAP ERP system, looking after interfacing with other apps, transactions, jobs, reporting and database access.
What are the ICMAD SAP Vulnerabilities?
Internet Communication Manager (ICM) is one of the important components of an SAP NetWeaver application in most products dealing with HTTP, HTTPS, SMTP protocols related communication. This sits right at the centre of the SAP tech stack found in most Internet-facing SAP applications.
A security research company, Onapsis, released this issue in a threat report citing vulnerabilities SAP CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533.
- CVE-2022-22536 – This is a memory pipes desynchronization vulnerability. MPI (memory pipes) are memory structures used for communication between ICM (Internet Communication Manager) and work processes (ABAP, Java). A simple HTTP request in an unauthenticated scenario could lead to a full system takeover. This explains why its rated CVSS 10.0 rating.
- CVE-2022-22532 – It is an HTTP request smuggling vulnerability in the ICM existing in the SAP NetWeaver Java systems.
- CVE-2022-22533 – A memory leak that could lead to Denial of Service, affecting SAP Application Server Java systems. Implication of this DoS could be consuming all MPI resources leading to loss of availability for legit users.
How to check if your organisation is vulnerable to CVE-2022-22536?
You can perform checks on your organisation if it’s vulnerable using this open-source scanner from Onapsis
https://github.com/Onapsis/onapsis_icmad_scanner
This script performs an unauthenticated check against the presence of CVE-2022-22536 in your SAP applications. These tests can be conducted in various scenarios such as:
- Where an SAP system is without an HTTP proxy or HTTPS proxy
- Where a system is behind SAP Web Dispatcher
Should you organisation is planning for a yearly penetration test or upon any changes, check out our CREST approved pentesting services
Vulnerability assessment for ICMAD SAP vulnerability
Running this script is easy-peasy; point the ICMAD_scanner.py at the target:
python ICMAD_scanner.py -H -P
You can also use your favourite scanners such as Tenable plugins as pretty much most of the scanners have scanning capability added this week.
- CVE-2021-44228 Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce
- Apache Log4j vulnerability affecting various components in SAP dynamic authorization management, Internet of Things Edge Platform, SAP customer checkout, SAP business client with google chromium. It covers CVE-2021-44228, CVE-2021-45046
We have covered Log4j extensively since it was discovered; it’s available at this link below:
https://thecyphere.com/blog/log4j-vulnerability/
Given the severity of this bug, the impacted organisation could suffer various types of cyberattacks such as:
- Sensitive data theft
- Identity theft
- Financial fraud
- Disruption to business operations
- Ransomware
Solution
SAP published HotNews Security Notes that can be followed here:
https://launchpad.support.sap.com/#/notes/3123396
https://launchpad.support.sap.com/#/notes/3123427 (authenticated users only)
SAP Security Patch Day – February 2022
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities
SAP ONE Support launchpad
https://launchpad.support.sap.com/
Get in touch to discuss any security concerns for your business.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.
