ICMAD Vulnerability Added to CISA’s Known Exploited Vulnerabilities Catalog

Earlier this year, Onapsis Research Labs and the SAP Product Security Response Team (PSRT) collaborated to discover and patch three critical vulnerabilities that affected SAP Internet Communication Manager (ICM)–a core component of SAP business applications. Dubbed ICMAD, Onapsis continues to monitor exploit activity surrounding these vulnerabilities (and others) to ensure SAP customers are protected.

 

On August 18, 2022, The US Cybersecurity and Infrastructure Security Agency (CISA) added one of these critical SAP vulnerabilities–CVE-2022-22536–to its Known Exploited Vulnerabilities Catalog (KEV). While federal civilian agencies are bound by BOD 22-01 to address all applicable vulnerabilities in the KEV, CISA highly recommends that all organizations should consider prioritizing action immediately if they haven’t already done so.

Onapsis Research Labs continually monitors vulnerabilities, especially as critical as these, even after the release of the security patches back in February 2022. The team continues to assess and analyze security issues across critical components of SAP. At the moment, we do not have conclusive data points in terms of how many organizations actually implemented the fixes. However, the joint campaigns we did six months ago with SAP, together with the warnings that CISA and other CERT(s), helped iterate the importance of acting in timely manner, implementing the patch/mitigation, and ultimately preventing a breach. 

ICMAD: Critical, Network-Exploitable Vulnerabilities

More than 400,000 organizations, including 90% of Fortune 500 companies, rely on SAP’s software to keep their business up and running. At the core of every SAP deployment is the SAP Internet Communication Manager (ICM), the piece of software in charge of handling all HTTP requests and responses. The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). 

The ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 — the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. CVE-2022-22536 can be abused to compromise any SAP NetWeaver-based Java or ABAP application with default configurations. This can be achieved using a single request through the commonly exposed HTTP(S) service, and no authentication is required. 

The potential impact to the business can be huge, which makes CISA’s inclusion of CVE-2022-22536 in the KEV so critical. A successful exploitation of the vulnerabilities could allow an attacker to perform several malicious actions affecting the enterprise, including: 

• Hijack of user identities, theft of all user credentials and personal information
• Exfiltration of sensitive or confidential corporate information
• Fraudulent transactions and financial harm
• Change of banking details in a financial system of record
• Internal denial of service attack that disrupts critical systems for the business

Next Steps to Take

Onapsis Research Labs recommends analyzing the impact that the issues described above can have on your landscape (specifically considering if you have SAP systems exposed to the Internet or to untrusted networks) and applying the notes as soon as possible. For additional guidance about available workarounds for these vulnerabilities, SAP customers should check the References and Workarounds section in the corresponding SAP Security Notes.

For our clients, the Onapsis Platform includes vulnerability assessment capabilities, detection rules, and alarms to continuously monitor malicious activity targeting these specific vulnerabilities as well as thousands of others. Those Onapsis clients who have Onapsis Assess and/or Onapsis Defend (Ver 2.2022.021 or greater) are already armed with scanning, monitoring, and alerting tools at their disposal to help protect their SAP landscape 

Onapsis Research Labs have created a free vulnerability scanning tool that will allow any SAP customer to scan for applications across their SAP landscape that are affected by these vulnerabilities. 

Closing Thoughts

All of the ICMAD vulnerabilities continue to present a critical risk to all unprotected SAP applications that are not patched with the corresponding SAP Security Notes. Without taking prompt action to mitigate the risk, it’s possible for an unauthenticated attacker to fully compromise any unpatched SAP system.

These notes are rated with the highest CVSS scores and affect commonly deployed components in multiple, widely deployed products from SAP. This is partly due to the fact that the affected components, by design, are intended to be exposed to the Internet, thereby greatly increasing the risk that any attacker, with access to the HTTP(S) port of a Java or ABAP system, could take over the applications and, in some circumstances, even the host OS. 

Prior threat intelligence from SAP, CISA, and Onapsis has demonstrated that threat actors have the knowledge, the technology, and the sophistication to launch complex attacks directly against business-critical applications such as SAP. Generally, we see attacks begin within 72 hours of the release of an SAP Security Note. 

These vulnerabilities potentially offer easy ingress for malicious actors. CISA, SAP, and Onapsis strongly advise that all impacted organizations should apply these security notes as soon as possible, prioritizing those affected systems exposed to untrusted networks.

ICMAD Resources

• For a deeper dive into the ICMAD vulnerabilities, download our threat report.
• Watch the on-demand session: SAP and Onapsis Executive Briefing on Critical ICMAD Vulnerabilities
• Onapsis Research Labs created a free vulnerability scanning tool that will allow SAP customers to scan for applications across their SAP landscape that are affected by the ICMAD vulnerabilities.
• If you are not an Onapsis customer, or need more information or assistance to respond to this situation, request a security briefing here.