You are currently viewing CISA Warns To Patch Critical ICMAD Vulnerabilities In SAP Internet Communication Manager(ICM)

CISA Warns To Patch Critical ICMAD Vulnerabilities In SAP Internet Communication Manager(ICM)

On February Patch Tuesday, SAP has released security updates to patch vulnerabilities affecting multiple SAP products, including critical vulnerabilities affecting SAP applications using Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.

SAP applications help organizations manage critical business processes such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management.

Additionally, the Onapsis Research Labs and SAP Product Security Response Team (PSRT) collaborated to discover and patch Three Critical vulnerabilities named ICMAD Vulnerabilities and identified them as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533. The team also released a Threat Report addressing them. The Cybersecurity and Infrastructure Security Agency(CISA) also warned to patch these severe security flaws dubbed ICMAD (Internet Communication Manager Advanced Desync) impacting SAP business apps using Internet Communication Manager (ICM), stating the impacts such as data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations.

ICMAD Vulnerabilities

  • CVE-2022-22536: HTTP Request Smuggling vulnerability received the highest CVSSv3 score of 10.0. This CVE is considered to be the most critical among three ICMAD vulnerabilities. An unauthenticated, remote attacker could exploit the vulnerability using a simple HTTP request using arbitrary data. A successful attack could result in the complete compromise of confidentiality, integrity, and availability of the system.

Affected Products: SAP NetWeaver and ABAP Platform, SAP Web Dispatcher, SAP Content Server

  •  CVE-2022-22532: HTTP Request Smuggling vulnerability with CVSSv3 score of 8.1. An unauthenticated remote attacker could exploit the vulnerability using a crafted HTTP server request which triggers improper shared memory buffer handling. A successful attack could impersonate the victim or even steal the victim’s login session.

Affected Products: SAP NetWeaver Application Server Java

  • CVE-2022-22533: Use After Free vulnerability with CVSSv3 score of 7.5. An unauthenticated remote attacker could submit multiple HTTP server requests resulting in errors, such that it consumes complete memory resources. Successful exploitation leads to denial of service.

Affected Products: SAP NetWeaver Application Server Java

Proof of Concept

Onapsis security researchers developed and published an open-source tool on GitHub to help all SAP customers to protect their applications by enabling them to assess their exposure and evaluate whether their SAP Applications using ICM are affected by CVE-2022-22536 vulnerability.

Solution

As part of its monthly Security Patch Day, SAP published HotNews Security Notes to address CVE-2022-22536 and CVE-2022-22532. Both SAP and Onapsis advise impacted organizations to prioritize applying the security notes to their affected SAP applications immediately.

Patched versions

  • SAP Web Dispatcher – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87
  • SAP Content Server – 7.53
  • SAP NetWeaver and ABAP Platform – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49

Patched versions

  • SAP NetWeaver Application Server Java- KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22,  7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53

 

 

 

 

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments