On February Patch Tuesday, SAP has released security updates to patch vulnerabilities affecting multiple SAP products, including critical vulnerabilities affecting SAP applications using Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet. These critical vulnerabilities can be detected using a vulnerability management software.
SAP applications help organizations manage critical business processes such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management. However, a patch management tool can patch these vulnerabilities.
Additionally, the Onapsis Research Labs and SAP Product Security Response Team (PSRT) collaborated to patch and discovered Three Critical vulnerabilities named ICMAD Vulnerabilities and identified them as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533. The team also released a Threat Report addressing them. The Cybersecurity and Infrastructure Security Agency(CISA) also warned to patch these severe security flaws dubbed ICMAD (Internet Communication Manager Advanced Desync) impacting SAP business apps using Internet Communication Manager (ICM), stating the impacts such as data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations.
ICMAD Vulnerabilities
- CVE-2022-22536: HTTP Request Smuggling vulnerability received the highest CVSSv3 score of 10.0. This CVE is considered to be the most critical among three ICMAD vulnerabilities. An unauthenticated, remote attacker could exploit the vulnerability using a simple HTTP request using arbitrary data. A successful attack could result in the complete compromise of confidentiality, integrity, and availability of the system.
1st Affected Products: SAP NetWeaver and ABAP Platform, SAP Web Dispatcher, SAP Content Server
- CVE-2022-22532: HTTP Request Smuggling vulnerability with CVSSv3 score of 8.1. An unauthenticated remote attacker could exploit the vulnerability using a crafted HTTP server request which triggers improper shared memory buffer handling. A successful attack could impersonate the victim or even steal the victim’s login session.
2nd Affected Products: SAP NetWeaver Application Server Java
- CVE-2022-22533: Use After Free vulnerability with CVSSv3 score of 7.5. An unauthenticated remote attacker could submit multiple HTTP server requests resulting in errors, such that it consumes complete memory resources. Successful exploitation leads to denial of service.
3rd Affected Products: SAP NetWeaver Application Server Java
Proof of Concept of ICMAD Vulnerabilities
Onapsis security researchers developed and published an open-source tool on GitHub to help all SAP customers to protect their applications by enabling them to assess their exposure and evaluate whether their SAP Applications using ICM are affected by CVE-2022-22536 vulnerability.
Solution
As part of its monthly Security Patch Day, SAP published HotNews Security Notes to address CVE-2022-22536 and CVE-2022-22532. Both SAP and Onapsis advise impacted organizations to prioritize applying the security notes to their affected SAP applications immediately.
- 3123396: CVE-2022-22536
Patched versions in ICMAD Vulnerabilities
- SAP Web Dispatcher – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87
- SAP Content Server – 7.53
- SAP NetWeaver and ABAP Platform – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49
- 3123427 : CVE-2022-22532
Patched versions in ICMAD Vulnerabilities
- SAP NetWeaver Application Server Java- KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53