4 Things To Know About the ICMAD Vulnerabilities in SAP Business-Critical Applications
This blog was originally published by Onapsis on February 16, 2022.
Last week, we announced how Onapsis and SAP partnered on the discovery and mitigation of a set of three vulnerabilities affecting the SAP Internet Communication Manager (ICM) component in SAP business-critical applications. This set of vulnerabilities was dubbed ICMAD (“Internet Communication Manager Advanced Desync”) for short. The ICMAD vulnerabilities require immediate attention by most SAP customers given how ubiquitous the SAP ICM is in SAP landscapes around the world.
Following the release of our threat report, Mariano Nunez, CEO at Onapsis, and Richard Puckett, CISO at SAP, held a briefing on these ICMAD SAP vulnerabilities. Watch the session or read along for four things you should know.
1. The SAP ICM is a very common and widely deployed component in SAP applications.
The SAP ICM is an important component in an SAP NetWeaver application server. It connects the SAP application to the outside world (i.e., the Internet). The SAP ICM understands and handles different protocols such as P4, IIOP, and SMTP, but one of its primary use cases is to serve as the SAP HTTP(S) server. As a result, this service is always present and exposed by default in an SAP NetWeaver Java application and is required to run web applications in SAP ABAP (i.e., Web Dynpro). Additionally, the SAP ICM is part of the SAP Web Dispatcher, which means that it typically sits between most SAP application servers and the clients (with the clients potentially being the internet).
There are three severe network-exploitable vulnerabilities which can lead to full system takeover, if leveraged by an attacker. Exploiting these vulnerabilities is simple, requires no previous authentication and no necessary preconditions, and the payload can be sent through HTTP(S). This means that unpatched SAP NetWeaver Applications (both Java and ABAP), reachable through HTTP(S), are vulnerable, as are any applications sitting behind the SAP Web Dispatcher, such as S/4HANA.
2. An SAP application does not need to be connected to the internet for the vulnerability to be exploited.
While it’s true that the SAP ICM commonly serves as the connection to the Internet, which leaves an estimated 10,000+ Internet-facing SAP applications as vulnerable, those applications that are not connected to the public Internet are still vulnerable to exploitation with these vulnerabilities. For example, consider SAP NetWeaver applications (JAVA/ABAP) that are simply reachable through HTTP or any SAP application sitting behind the SAP Web Dispatcher.
3. All SAP Customers have access to a free ICMAD scanning tool.
Given the criticality of these vulnerabilities, we would like to make sure that every SAP customer has the ability to check to see if their SAP applications across their landscape are vulnerable to ICMAD. Onapsis Research Labs have created a free vulnerability scanning tool that will allow any SAP customer to scan their systems and understand their risk exposure. This will help every SAP customer better prioritize steps to protect their business-critical SAP applications affected by these vulnerabilities.
You can download this free application here.
4. All SAP customers should apply the Security Notes as soon as possible.
Threat actors have the knowledge and capabilities to compromise unprotected business applications. Prior threat intelligence from SAP, CISA, and Onapsis demonstrated that threat actors are launching sophisticated attacks on business-critical SAP applications within 72 hours of the release of an SAP Security Note. With both this and the severity of these vulnerabilities in mind, SAP, Onapsis, and CISA recommend that impacted organizations should prioritize applying the SAP HotNews Security Notes #3123396 and #3123427 to their affected SAP applications immediately.
All SAP customers can use our open-source tool to scan your system for vulnerabilities.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.