SAP systems are getting breached as attackers wake up to CVSS 10 bug
A critical SAP vulnerability dubbed ICMAD with a maximum CVSS score of 10 that was first reported in February is being exploited in the wild. (Cynics would be forgiven for wondering whether it took attackers longer than usual to notice the vulnerability or defenders until now to notice that their systems were getting breached.)
The vulnerability, allocated CVE-2022-22536, was added to CISA’s Known Exploited Vulnerabilities Catalog along with seven other software bugs late on Thursday (August 18, 2022). The critical SAP vulnerability was initially reported earlier this year by Onapsis, which warned at the time that threat actors are “launching sophisticated attacks on business-critical SAP applications within 72 hours of the release of an SAP Security Note…”
The vulnerability is in the SAP Internet Communication Manager (ICM) which connects other SAP applications to the internet and as a result affects a whole host of SAP enterprise software products, many of which compromise a critical part of the enterprise IT stack and act as a spine for misssion critical applications. (Initial scans in February when it was first disclosed had suggested that ~10,000 instances were publicly exposed to the internet.)
CVE-2022-22536 exploits have circulated in the wild since February. Onapsis at the time made a “a best-effort, black-box” scanner freely available as a Python script to check if your SAP application are vulnerable.
As CISA noted this week: “SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling.
“An unauthenticated attacker can prepend a victim’s request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches…”
As Onapsis noted in February “even though the ICM can understand and handle different protocols such as P4, IIOP, SMTP, and others, one of its core purposes is to work as the SAP HTTP(S) server. This service is always present and exposed by default in an SAP Java stack and is required to run web applications in SAP ABAP (Web Dynpro) and S/4HANA systems.
“Additionally, the SAP ICM is part of the SAP Web Dispatcher, which means that it typically sits between most SAP application servers and the clients” (potentially, the Internet).
The Stack noted at the time that Onapsis’ security advisory on CVE-2022-22536 gives enough details for offensive security researchers to work up an exploit — detailing how the HTTP smuggling vulnerability involves desynchronization of Message Passing Interface (MPI) buffers between the ICM and the backend (Java/ABAP) processes. Unpatched users should check for evidence of exploitation and patch.