Priority: High – CVSS 10
Executive Summary:
German enterprise software maker SAP and the US Cybersecurity and Infrastructure Security Agency issued security advisories on Tuesday 8th February to warn SAP customers to install the company’s February security patches as soon as possible in order to prevent the exploitation of a major vulnerability in a ubiquitous SAP component.
Tracked as CVE-2022-22536, the vulnerability was discovered by cloud security firm Onapsis and impacts the SAP Internet Communication Manager (ICM).
The main purpose of this component is to provide a working HTTPS web server for all SAP products that need to be connected to the internet or talk to each other via HTTP/S, meaning that if a vulnerability is present in its code, entire SAP products are exposed to attacks 24/7.
In a report published yesterday, Onapsis said that CVE-2022-22536 is a dangerous bug, allowing attackers to use malformed packets that trick SAP servers into exposing sensitive data without the attacker needing to authenticate.
The attack, known as HTTP request smuggling, could be used to steal credentials and session information from unpatched SAP servers, even if servers are placed behind proxies. Onapsis has reported:
Impacted organisations could experience:
- theft of sensitive data
- financial fraud
- disruption of mission-critical business processes
- Ransomware
- halt of all operations
Affected Products:
- SAP Web Dispatcher, Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87
- SAP Content Server, Version – 7.53
- SAP NetWeaver and ABAP Platform, Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49
Recommendations:
To increase cyber resilience against this vulnerability, ITC recommends installing the latest patch released by SAP on 8 February 2022 as a priority. The patch is covered under Note# 3123396 on the SAP security patch wiki.
Onapsis have also released a Python script so SAP customers can test their setups and see if they are vulnerable to attacks.
Customers should act quickly to apply these measures. Further details are available in the URLs cited in this Threat Horizon’s sources.
React:
ITC’s Sentinel SIEM service actively monitors for indications of attackers who may leverage vulnerabilities such as these to gain access to customer networks and our analysts carry out proactive threat hunting to search for related indicators of compromise.
Sources:
- https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing
- https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
- https://github.com/Onapsis/onapsis_icmad_scanner
- https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/