As of August 19, 2022, CISA added the ICMAD vulnerability CVE-2022-22536 to its catalog.
Last week, we announced how Onapsis and SAP partnered on the discovery and mitigation of a set of three vulnerabilities affecting the SAP Internet Communication Manager (ICM) component in SAP business-critical applications. This set of vulnerabilities was dubbed ICMAD (“Internet Communication Manager Advanced Desync”) for short. The ICMAD vulnerabilities require immediate attention by most SAP customers given how ubiquitous the SAP ICM is in SAP landscapes around the world.
Following the release of our threat report, Mariano Nunez, CEO at Onapsis, and Richard Puckett, CISO at SAP, held a briefing on these ICMAD SAP vulnerabilities. Watch the session or read along for five things you should know.
1. The SAP ICM is a very common and widely deployed component in SAP applications.
The SAP ICM is an important component in an SAP NetWeaver application server. It connects the SAP application to the outside world (i.e., the Internet). The SAP ICM understands and handles different protocols such as P4, IIOP, and SMTP, but one of its primary use cases is to serve as the SAP HTTP(S) server. As a result, this service is always present and exposed by default in an SAP NetWeaver Java application and is required to run web applications in SAP ABAP (i.e., Web Dynpro). Additionally, the SAP ICM is part of the SAP Web Dispatcher, which means that it typically sits between most SAP application servers and the clients (with the clients potentially being the internet).
The Onapsis Research Labs identified three severe network-exploitable vulnerabilities which can lead to full system takeover, if leveraged by an attacker. Exploiting these vulnerabilities is simple, requires no previous authentication and no necessary preconditions, and the payload can be sent through HTTP(S). This means that unpatched SAP NetWeaver Applications (both Java and ABAP), reachable through HTTP(S), are vulnerable, as are any applications sitting behind the SAP Web Dispatcher, such as S/4HANA.
2. An SAP application does not need to be connected to the internet for the vulnerability to be exploited.
While it’s true that the SAP ICM commonly serves as the connection to the Internet, which leaves an estimated 10,000+ Internet-facing SAP applications as vulnerable, those applications that are not connected to the public Internet are still vulnerable to exploitation with these vulnerabilities. For example, consider SAP NetWeaver applications (JAVA/ABAP) that are simply reachable through HTTP or any SAP application sitting behind the SAP Web Dispatcher.
3. All Onapsis Assess and/or Defend customers have the capabilities to protect their organizations against these critical issues already.
The Onapsis Platform includes vulnerability assessment capabilities, detection rules, and alarms to continuously monitor malicious activity targeting these specific vulnerabilities as well as thousands of others. With the first release of February 2022 (2.2022.021), all Onapsis customers with Onapsis Assess and/or Onapsis Defend have the capabilities to protect their organizations against these critical issues. If you have any questions, please do not hesitate to reach out to your Onapsis representative.
4. All SAP Customers have access to a free ICMAD scanning tool from Onapsis.
Given the criticality of these vulnerabilities, Onapsis would like to make sure that every SAP customer has the ability to check to see if their SAP applications across their landscape are vulnerable to ICMAD. Onapsis Research Labs have created a free vulnerability scanning tool that will allow any SAP customer to scan their systems and understand their risk exposure. This will help every SAP customer better prioritize steps to protect their business-critical SAP applications affected by these vulnerabilities.
You can download this free application here.
5. All SAP customers should apply the Security Notes as soon as possible.
Threat actors have the knowledge and capabilities to compromise unprotected business applications. Prior threat intelligence from SAP, CISA, and Onapsis demonstrated that threat actors are launching sophisticated attacks on business-critical SAP applications within 72 hours of the release of an SAP Security Note. With both this and the severity of these vulnerabilities in mind, SAP, Onapsis, and CISA recommend that impacted organizations should prioritize applying the SAP HotNews Security Notes #3123396 and #3123427 to their affected SAP applications immediately.
For all SAP customers not currently using The Onapsis Platform, use our open-source tool to scan your system for vulnerabilities or schedule a complimentary 1:1 security briefing with an Onapsis expert to assess your potential exposure.
- For a deeper dive into the ICMAD vulnerabilities, download our threat report.
- Watch Now: Onapsis and SAP Executive Briefing on Mitigating the ICMAD SAP Vulnerabilities
- Onapsis Research Labs created a free vulnerability scanning tool that will allow SAP customers to scan for applications across their SAP landscape that are affected by the ICMAD vulnerabilities.
- If you are not an Onapsis customer, or need more information or assistance to respond to this situation, request a security briefing here.