Return of the ICMAD: Critical Vulnerabilities Affecting ICM over HTTP/2

On July 11th, 2023, following a continued monthly cadence of security patches, SAP released patches for two new vulnerabilities (CVE-2023-33987 and CVE-2023-35871), which affect one of the most critical components of SAP applications: the SAP Internet Communications Manager also known as ICM. If that sounds familiar, it should. Last year, Onapsis issued a threat advisory regarding ICMAD, a set of critical vulnerabilities affecting the ICM.  

ICMAD – High Criticality 

These two new vulnerabilities were scored as high criticality (Correction with High Priority) with CVSS scores of 7.7 to 8.6. The scores are justified based on the types of attacks that are possible through the abuse of these two vulnerabilities, which range from denial of service to the theft or modification of users’ information by targeting a vulnerable HTTP server. It’s worth noting that, like the original ICMAD vulnerabilities, all of these attacks are possible via remote access and without authentication. 

Background of ICMAD Vulnerabilities

In February 2022, SAP released patches for three vulnerabilities that affected the ICM and were significantly critical. This set of vulnerabilities was dubbed ICMAD by Onapsis due to their importance and the elevated risk requiring organizations to immediately address them. What stood out at the time for ICMAD was the complexity of these vulnerabilities, where they were exploitable in some cases directly on the HTTP server and, in other scenarios, requiring an intermediate proxy for desynchronization to happen. 

Coming back to the present day, these two most recent vulnerabilities maintain several parallels with ICMAD, since the attacks are very similar as is the level of impact. Not everyone loves sequels, but one could think about these vulnerabilities as ICMAD2.

Due to the immediate recency of the vulnerability advisories, the Onapsis Research Labs (ORL) has not yet detected active exploitation. However, generally speaking, ORL tends to observe elevated activity in the week following Patch Tuesday. Further, it is important to note that the prior set of ICMAD vulnerabilities was added to the Catalog of Known Exploited Vulnerabilities by CISA during 2022 due to active exploitation. Therefore, ORL anticipates the high likelihood of potential threat activity in the coming weeks following the release of the patches for these vulnerabilities. As always, ORL will continue to keep an eye on any elevated exploit activity and update this space accordingly.

Am I Affected?

Because the ICM is central to a large number of SAP products, it’s more than likely that a large number of organizations are potentially affected. For example, these vulnerabilities affect a large number of SAP products that use the ICM such as SAP S/4HANA, SAP ERP, SAP Web Dispatcher, and SAP HANA – just to name a few. Technically, there’s applicability to everything that sits on top of SAP NetWeaver ABAP, SAP Web Dispatcher, SAP HANA XS, and XSA. With that said, it is important to mention that because the SAP NetWeaver Application Server for Java does not support HTTP/2, these two new vulnerabilities do not affect any product based on NetWeaver Java.

Onapsis Continued Contributions to SAP Security

These two vulnerabilities were reported to SAP by the Onapsis Research Labs, driven by our continuous effort to improve the overall security of SAP products and subsequently protect SAP customers. The resulting fixes were released through the following SAP Security Notes released on July 11, 2023:

  • 3233899 – [CVE-2023-33987] Request smuggling and request concatenation vulnerability in SAP Web Dispatcher
  • 3340735 – [CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher

This is one more proof point of both the importance of dedicated security research to improve the security of mission-critical applications such as SAP and how the strong partnership between SAP and Onapsis delivers the best possible results to organizations with secure applications and best-in-class products. Many thanks to the SAP PSRT team for our continued collaboration.

Workarounds and Recommendations for ICMAD2

In spite of the criticality we’ve noted above with these two vulnerabilities, it’s worth noting that there is a bright side here with these vulnerabilities that is not always possible with others. Due to the fact that these vulnerabilities affect the HTTP/2 implementation of the ICM, applications that do not have HTTP/2 enabled are considered not vulnerable to CVE-2023-33987 nor CVE-2023-35871. 

Because of this, a workaround solution to mitigate these vulnerabilities is to simply disable the support for HTTP/2 in the affected applications. This may have a performance impact (described by SAP as approximately 20%, in the released SAP Security Notes) but should remain functionally equivalent to HTTP/2.

To disable the support for HTTP/2, the profile parameter icm/HTTP/support_http2 should be set to FALSE. The location of this configuration will depend on the affected product (i.e., for the ICM in the SAP NetWeaver ABAP, it should be configured in the DEFAULT profile).

Otherwise, ORL recommends that all organizations, particularly those utilizing ICM with HTTP/2, should prioritize patching these two vulnerabilities as soon as realistically possible.