Circle
Events
Blog

ICMAD: Critical Vulnerabilities in SAP Business Applications Require Immediate Attention

ICMAD: Critical Vulnerabilities in SAP Business Applications Require Immediate Attention

Blog Article Published: 02/14/2022

This blog was originally published by Onapsis on February 8, 2022.

Written by JP Perez-Etchegoyen and the Onapsis Research Labs.

Detailed research from the Onapsis Research Labs throughout 2021 around HTTP Response Smuggling led to the recent discovery of a set of extremely critical vulnerabilities affecting SAP applications actively using the SAP Internet Communication Manager (ICM) component, which we have collectively dubbed ICMAD (Internet Communication Manager Advanced Desync), for short. This discovery will require immediate attention by most SAP customers, given the widespread usage of the vulnerable technology component in SAP landscapes around the world.

Download the Report: Onapsis and SAP Partner to Discover and Patch Critical ICMAD Vulnerabilities

The Background

First, let’s provide a quick summary of the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of an SAP NetWeaver application server. This component is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet. One of its core purposes is to serve as the SAP HTTP(S) server, which subsequently means that this service is always present and exposed by default in SAP NetWeaver Java applications and serves as a requirement to run web applications in SAP ABAP (i.e., Web Dynpro). Additionally, the SAP ICM is a building block of the SAP Web Dispatcher, which means that it typically sits between most SAP application servers and its clients (with the “clients” potentially being “the Internet”).

What was discovered? Well, we identified three severe network exploitable vulnerabilities which could lead to full system takeover, if leveraged by an attacker. Abusing these vulnerabilities could be simple for an attacker as it requires no previous authentication, no necessary preconditions, and the payload can be sent through HTTP(S). The worst of these vulnerabilities was given the highest CVSSv3 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

For this most critical vulnerability, SAP NetWeaver Applications (Java / ABAP) that are reachable through HTTP(S) are potentially vulnerable to this issue as well as any application sitting behind SAP Web Dispatcher. Examples of potentially vulnerable applications include SAP ERP, SAP Business Suite, SAP S/4HANA, and SAP Enterprise Portal to name a few.

ICMAD: Critical, Network-Exploitable Vulnerabilities

This set of critical vulnerabilities, namely CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533, were discovered and reported to SAP by the Onapsis Research Labs. CVE-2022-22536 scored the highest with a CVSSv3 of 10.0. It can be abused to compromise any SAP NetWeaver-based Java or ABAP application with default configurations. What’s most troubling is that this can be achieved using a single request through the commonly exposed HTTP(S) service, and no authentication is required.

We were able to validate that attackers could use these vulnerabilities in the ICM to exploit and hijack arbitrary SAP user’s requests (including their sessions) and subsequently take over the SAP application. In addition, using the new “HTTP Response Smuggling” techniques, attackers could control responses sent by the SAP application and persist the attack. This means that with a single request, an attacker could be able to steal every victim session and credentials in plain text and modify the behavior of the applications.

CVE-2022-22536 is exploitable when an HTTP(S) proxy is sitting in between clients and the backend SAP system, which is the most common scenario for HTTP(S) access in any productive landscape. We validated that attackers could also exploit CVE-2022-22532, rated with CVSSv3 score of 8.1 in the absence of a proxy. The combination of both vulnerabilities makes it possible to compromise SAP NetWeaver Java systems regardless of the use of proxies. For this reason, these unpatched SAP systems should be considered vulnerable.

The Potential Business Impact

What makes these vulnerabilities especially critical for SAP customers is that the issues are present by default in the ICM component (hence, SAP NetWeaver, S/4HANA, and SAP Web Dispatcher). Furthermore, a number of other facts magnify the risk:

  • Detection: It’s challenging to differentiate a malicious request from a perfectly normal, benign request;
  • Impact: Exploiting ICMAD could lead to a full system takeover, as well as other confidentiality, integrity, and availability threats to business-critical SAP applications;
  • Exploitation: They require no previous authentication, the exploitation is very simple, and no preconditions are necessary; and
  • Attack Surface: The payloads can be sent through HTTP(S), affecting a number of core components that are intended to connect SAP systems to the “outside world”.
A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation.

Consequently, this makes it easy for attackers to exploit it and extremely hard for security technology such as firewalls or IDS/IPS to detect (as it does not present a malicious payload).

Due to the wide range of affected SAP applications, it’s easy to project a number of impact scenarios that could challenge, disrupt, or expose an organization based on the intention of any attacking threat actor group. Specific impact, of course, will vary depending on the affected system(s), but successful exploitation of the vulnerabilities could allow an attacker to perform several malicious actions affecting the enterprise. For example

  • Hijack of user identities, theft of all user credentials and personal information
  • Exfiltration of sensitive or confidential corporate information
  • Fraudulent transactions and financial harm
  • Change of banking details in a financial system of record
  • Internal denial of service attack that disrupts critical systems for the business

It’s worth noting that, at many organizations, SAP applications fall under the purview of specific industry and governmental regulations, as well as financial and other compliance requirements. Unfortunately, this means that the mere presence of known vulnerabilities in SAP applications that could allow unauthenticated, unfettered access may constitute a deficiency in IT controls for data privacy (e.g., GDPR), financial reporting (e.g., SOX), or industry-specific regulations (e.g., PCI-DSS). Any enforced controls that are bypassed via exploitation of these vulnerabilities may cause regulatory and compliance deficiencies over critical areas.

With that in mind, it’s worth connecting with internal risk, compliance, and legal teams in your organization regarding specific regulatory and other compliance requirements that may apply to your organization.

Again, we’re talking about the ability for a malicious actor to potentially achieve full system takeover, so the critical severity shouldn’t be understated or underestimated, especially when one considers both the highly sophisticated attacks continuously observed in the wild and the recent research report from Sygnia on Elephant Beetle, a threat actor group that plays a persistent, long attack game, hiding in enterprise infrastructure.

Recommendations

Onapsis would like to extend special thanks to the SAP Product Security Response Team (PSRT) for their collaboration and timely response. As a result of this collaboration and the tireless work of the SAP PSRT, SAP was able to release HotNews Security Notes 3123396 and 3123427 as part of their regular monthly Security Patch Day today (February 8, 2022).

We recommend analyzing the impact that the issues described above can have on your landscape (specifically considering if you have SAP systems exposed to the Internet or to untrusted networks) and applying the notes as soon as possible. For additional guidance about available workarounds for these vulnerabilities, SAP customers should check the References and Workarounds section in the corresponding SAP Security Notes.

Given the criticality of these vulnerabilities, especially in light of our increasingly interconnected world, every SAP customer should have the ability to check to see if they are exposed in order to take steps to protect their business-critical SAP applications. The Onapsis Research Labs have created a free vulnerability scanning tool that will allow any SAP customer to scan for applications across their SAP landscape that are affected by these vulnerabilities.

You can download this free application here.

Closing Thoughts

The aforementioned vulnerabilities present a critical risk to all unprotected SAP applications that are not patched with the corresponding SAP Security Notes. Without taking prompt action to mitigate the risk, it’s possible for an unauthenticated attacker to fully compromise any unpatched SAP system in a simple way.

These notes are rated with the highest CVSS scores and affect commonly deployed components in multiple, widely deployed products from SAP. This is partly due to the fact that the affected components, by design, are intended to be exposed to the Internet, thereby greatly increasing the risk that any attacker, with access to the HTTP(S) port of a Java or ABAP system, could take over the applications and, in some circumstances, even the host OS.

Threat intelligence from SAP, CISA, and Onapsis has demonstrated that threat actors have the knowledge, the technology, and the sophistication to launch complex attacks directly against business-critical applications such as SAP. Generally, we see attacks begin within 72 hours of the release of an SAP Security Note. (Recently, we saw Log4j attacks occur within 24 hours of the public disclosure, so the window for defense is small.)

These vulnerabilities potentially offer easy ingress for malicious actors. As a result, SAP and Onapsis believe that all unpatched SAP applications are vulnerable. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a Current Activity Alert relating to these vulnerabilities. CISA, SAP, and Onapsis strongly advise that all impacted organizations should apply these security notes as soon as possible, prioritizing those affected systems exposed to untrusted networks, such as the Internet.

ICMAD Resources

  • For a deeper dive into the ICMAD vulnerabilities, download our threat report.
  • Join our joint on-demand webinar with SAP to learn more about the ICMAD vulnerabilities.
  • Onapsis Research Labs created a free vulnerability scanning tool that will allow SAP customers to scan for applications across their SAP landscape that are affected by the ICMAD vulnerabilities.

Share this content on your favorite social network today!

Sign up to receive CSA's latest blogs

This list receives 1-2 emails a month.