SAP has released patches to fix a set of critical vulnerabilities in the SAP Internet Communication Manager (ICM), which is used by SAP business applications such as SAP NetWeaver, S/4HANA, and SAP Web Dispatcher. One of the vulnerabilities has been given the highest possible CVSS severity score of 10.
The vulnerabilities were identified by security researchers at Onapsis Research Labs, who reported them to SAP. The researchers have been working with the German business management software provider to create patches to fix the issues. SAP released patches to fix the flaws on February 8, 2022.
The vulnerabilities have been dubbed Internet Communications Manager Advanced Desync (ICMAD) and affect all SAP business applications that use Internet Communications Manager (ICM). The most serious vulnerability – tracked as CVE-2022-22536 – can be exploited remotely by an attacker on any SAP NetWeaver-based Java or ABAP application in the default configuration by sending a single request through the commonly exposed HTTP(S) service. The flaw can be exploited without authentication and allows an attacker to steal all victim sessions and credentials in plaintext and modify the behavior of the application.
Onapsis said the default configuration for HTTP(S) access is for an HTTP(S) proxy to sit between clients and the backend SAP system, and in this configuration the vulnerability can be exploited. It is also possible to exploit the second vulnerability, tracked as CVE-2022-22532, in the absence of a proxy. CVE-2022-22532 has a CVSS severity score of 8.1/10. The third vulnerability is tracked as CVE-2022-22533. At present, no CVSS score has been assigned.
All three vulnerabilities can lead to remote code execution and can be exploited to target SAP users and processes, steal credentials and business information, conduct denial-of-service attacks, and completely compromise vulnerable SAP systems. At present, the vulnerabilities have not been exploited in any real-world attacks on SAP customers, but SAP applications are often targeted by hackers and these vulnerabilities are likely to be exploited if vulnerable systems are not patched.
SAP, Onapsis, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have urged all businesses using vulnerable SAP products to apply the patches immediately to prevent exploitation. If you are unsure if you are using a vulnerable SAP product, Onapsis has released this free open source tool for scanning systems for ICMAD flaws.