In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.
{"cve": [{"lastseen": "2023-12-06T15:08:45", "description": "In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T23:15:00", "type": "cve", "title": "CVE-2022-22532", "cwe": ["CWE-444"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22532"], "modified": "2022-09-30T13:20:00", "cpe": ["cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.22", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.22", "cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.22ext", "cpe:/a:sap:netweaver_application_server_java:7.22", "cpe:/a:sap:netweaver_application_server_java:7.49", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.49", "cpe:/a:sap:netweaver_application_server_java:7.53", "cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.49", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.22ext"], "id": "CVE-2022-22532", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22532", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.22ext:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-07-05T14:13:45", "description": "SAP NetWeaver Application Server Java is vulnerable to HTTP request smuggling.\n\n - An unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. (CVE-2022-22532)\n\n - Due to improper error handling, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.\n (CVE-2022-22533)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-09T00:00:00", "type": "nessus", "title": "SAP NetWeaver AS Java Multiple Vulnerabilities (ICMAD)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22532", "CVE-2022-22533"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:sap:netweaver_application_server"], "id": "SAP_NETWEAVER_AS_JAVA_3123427.NASL", "href": "https://www.tenable.com/plugins/nessus/157847", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157847);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2022-22532\", \"CVE-2022-22533\");\n script_xref(name:\"IAVA\", value:\"2022-A-0063\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0006\");\n\n script_name(english:\"SAP NetWeaver AS Java Multiple Vulnerabilities (ICMAD)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP NetWeaver application server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"SAP NetWeaver Application Server Java is vulnerable to HTTP request smuggling.\n\n - An unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory \n buffer handling. This could allow the malicious payload to be executed and hence execute functions that could \n be impersonating the victim or even steal the victim's logon session. (CVE-2022-22532)\n\n - Due to improper error handling, an attacker could submit multiple HTTP server requests resulting in errors, \n such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.\n (CVE-2022-22533)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0c19cc7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://launchpad.support.sap.com/#/notes/3123427\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22532\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/09\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_application_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_netweaver_as_web_detect.nbin\");\n script_require_keys(\"installed_sw/SAP Netweaver Application Server (AS)\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443, 8000, 50000);\n\n exit(0);\n}\n\ninclude('vcf_extras_sap.inc');\n\nvar app_info = vcf::sap_netweaver_as::get_app_info(kernel:TRUE);\n\n# it only affects AS Java, but we have to check the kernel version\nif (empty_or_null(app_info['AS Java Version']))\n vcf::audit(app_info);\n\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nvar fix = 'See vendor advisory';\n\n# Kernel constraints\nvar constraints = [\n {'equal' : '7.22', 'fixed_display' : fix },\n {'equal' : '7.49', 'fixed_display' : fix },\n {'equal' : '7.53', 'fixed_display' : fix }\n ];\n\nvcf::sap_netweaver_as::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n kernel:TRUE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-02-12T11:27:58", "description": "On February 8, 2022, SAP released [security updates](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>) to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes\u2014such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management. Impacted organizations could experience:\n\n * theft of sensitive data,\n * financial fraud,\n * disruption of mission-critical business processes,\n * ransomware, and\n * halt of all operations.\n\nAdditionally, security researchers from Onapsis, in coordination with SAP, released a [Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing SAP ICM critical vulnerabilities, CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. Onapsis also provides an [open source tool](<https://github.com/Onapsis/onapsis_icmad_scanner>) to identify if a system is vulnerable and needs to be patched.\n\nCISA recommends operators of SAP systems review [SAP\u2019s February 2022 Security Updates page](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>), the [Onapsis Research Labs Threat Report: SAP ICMAD Vulnerabilities](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>), and the [Onapsis GitHub page](<https://github.com/Onapsis/onapsis_icmad_scanner>) for more information and apply necessary updates and mitigations.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-08T00:00:00", "type": "cisa", "title": "Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-08T00:00:00", "id": "CISA:C491359F9996B7AF8A31AD01C810E384", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-02-14T09:32:54", "description": "There\u2019s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.\n\nThe vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in [Security Note 3123396](<https://launchpad.support.sap.com/>), received the tip-top risk score \u2013 a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.\n\nThe issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a [security advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) about them this week. And, in a [blog post](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>), SAP director of security response Vic Chung confirmed the severity of Onapsis\u2019 findings. He said that if they aren\u2019t remediated, the bugs \u2013 aka \u201cICMAD\u201d \u2013 \u201cwill enable attackers to execute serious malicious activity on SAP users, business information and processes.\u201d\n\nSpecifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:\n\n * Hijack of user identities, theft of all user credentials and personal information\n * Exfiltration of sensitive or confidential corporate information\n * Fraudulent transactions and financial harm\n * Change of banking details in a financial system of record\n * Denial-of-service attack that disrupts critical systems for the business\n\nOnapsis, which specializes in security for SAP, Oracle, Salesforce and other software-as-a-service (SaaS) platforms, joined SAP in coordinating the release of[ a Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing the critical vulnerabilities on Tuesday.\n\nThe firm estimated that there were tens of thousands \u2013 approximately 40,000 \u2013 SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.\n\nSAP and Onapsis urged customers to apply both Security Note 3123396 and [3123427](<https://t.nylas.com/t1/116/4a3z713b1kum7z18ruaq7siqk/13/51ec755ca6f695096592b0335df2b6ec4ba279684d0ae63b9df0739442312162>) without delay. Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing the serious issues, available to download [here](<https://github.com/Onapsis/onapsis_icmad_scanner>).\n\n## No Known Related Breaches \u2013 Yet\n\n\u201cSince ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,\u201d Chung said.\n\nThe ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications \u2013 just one flavor of the business-critical apps that threat actors are actively targeting.\n\n\u201cAs we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,\u201d said Mariano Nunez, CEO and co-founder of Onapsis. \u201cThe discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as[ RECON](<https://onapsis.com/recon-sap-cyber-security-vulnerability>) and[ 10KBLAZE](<https://onapsis.com/resources/10kblaze>), are essential to protecting the business-critical applications that power 92 percent of the Forbes Global 2000.\u201d\n\nAs of Tuesday, SAP and Onapsis weren\u2019t aware of any breaches related to the trio of bugs, but that\u2019s clearly no reason to delay in applying the updates in[ Security Note 3123396 [CVE-2022-22536]](<https://launchpad.support.sap.com/>) to affected SAP applications as soon as possible, they said.\n\n021022 13:28 UPDATE: An Onapsis spokesperson told Threatpost that as of Thursday, the team still hadn\u2019t seen either exploitation of the ICMAD flaws nor a proof of concept but that, unsurprisingly, they\u2019ve seen probes scanning for the vulnerability.\n\n## What to Do\n\nOnapsis has prepared this on-demand [recording](<https://hubs.ly/Q013KNxr0>) that details what to do to avoid any damage.\n\nAs well, at noon ET on Thursday, Onapsis\u2019 Nunez and SAP CISO Richard Puckett will provide a [threat briefing](<https://twitter.com/marianonunezdc/status/1491803623709310977>) about the ICMAD vulnerabilities.\n\n> Join SAP's [#CISO](<https://twitter.com/hashtag/CISO?src=hash&ref_src=twsrc%5Etfw>) Richard Puckett and me on the threat briefing about the [#icmad](<https://twitter.com/hashtag/icmad?src=hash&ref_src=twsrc%5Etfw>) vulnerabilities. Make sure you have all the info to protect your business-critical SAP applications. Today at 12pm ET. [#sap](<https://twitter.com/hashtag/sap?src=hash&ref_src=twsrc%5Etfw>) [#onapsis](<https://twitter.com/hashtag/onapsis?src=hash&ref_src=twsrc%5Etfw>) [#research](<https://twitter.com/hashtag/research?src=hash&ref_src=twsrc%5Etfw>) [#cisa](<https://twitter.com/hashtag/cisa?src=hash&ref_src=twsrc%5Etfw>) [#icm](<https://twitter.com/hashtag/icm?src=hash&ref_src=twsrc%5Etfw>) [#security](<https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/QObvbdN6sp>\n> \n> \u2014 Mariano Nunez (@marianonunezdc) [February 10, 2022](<https://twitter.com/marianonunezdc/status/1491803623709310977?ref_src=twsrc%5Etfw>)\n\n## Internally Facing Apps Also at Risk\n\nA vulnerability in ICM exposes the business-critical data enterprises depend on SAP to manage and safeguard, pointed out Casey Bisson, head of product and developer relations at code-security provider BluBracket. That goes for internal-facing apps as well as internet-facing ones, he said, given that ICM is at the core of practically all SAP-based web applications, and that includes apps that are internal-only.\n\n\u201cEven if the applications are internal-only, there\u2019s still risk when combined with other threats, including disgruntled employees and compromised network devices,\u201d he told Threatpost via email on Thursday. \u201cThis is exactly the vulnerability that threat actors like ransomware operators and state operatives are looking for.\u201d\n\nSAP servers are \u201cextremely rich targets,\u201d noted Aaron Turner, vice president of software-as-a-service (SaaS) posture at AI cybersecurity company Vectra. They have \u201csignificant\u201d access to material business processes and, generally, have multiple privileged credentials stored and used on those servers, he said via email.\n\n\u201cWith the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network, and also pivot into the cloud as most SAP customers have federated their legacy SAP workloads with cloud-based ones,\u201d Turner explained.\n\nHe compared the potential for exploitation to that presented by [Hafnium](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>): an advanced persistent threat (APT) believed to be linked to the Chinese government that Microsoft said has carried out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities known as [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>).\n\n\u201cJust as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same,\u201d Turner suggested. \u201cThe SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.\u201d\n\nMike Parkin, engineer at enterprise cyber-risk remediation SaaS provider Vulcan Cyber, told Threatpost that regardless of the current lack of reports of ICMAD exploits, \u201cthe potential risk is high.\u201d\n\nAll the more reason for organizations that rely on the affected components to deploy the patches and other relevant mitigations \u201cas soon as is practical,\u201d he advised.\n\n_021022 12:24 UPDATE: Added input from Casey Bisson, Aaron Turner and Mike Parkin._\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T16:39:04", "type": "threatpost", "title": "SAP Patches Severe \u2018ICMAD\u2019 Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-10T16:39:04", "id": "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "href": "https://threatpost.com/sap-patches-severe-icmad-bugs/178344/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T17:51:24", "description": "There\u2019s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.\n\nThe vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in [Security Note 3123396](<https://launchpad.support.sap.com/>), received the tip-top risk score \u2013 a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.\n\nThe issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a [security advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) about them this week. And, in a [blog post](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>), SAP director of security response Vic Chung confirmed the severity of Onapsis\u2019 findings. He said that if they aren\u2019t remediated, the bugs \u2013 aka \u201cICMAD\u201d \u2013 \u201cwill enable attackers to execute serious malicious activity on SAP users, business information and processes.\u201d\n\nSpecifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:\n\n * Hijack of user identities, theft of all user credentials and personal information\n * Exfiltration of sensitive or confidential corporate information\n * Fraudulent transactions and financial harm\n * Change of banking details in a financial system of record\n * Denial-of-service attack that disrupts critical systems for the business\n\nOnapsis, which specializes in security for SAP, Oracle, Salesforce and other software-as-a-service (SaaS) platforms, joined SAP in coordinating the release of[ a Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing the critical vulnerabilities on Tuesday.\n\nThe firm estimated that there were tens of thousands \u2013 approximately 40,000 \u2013 SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.\n\nSAP and Onapsis urged customers to apply both Security Note 3123396 and [3123427](<https://t.nylas.com/t1/116/4a3z713b1kum7z18ruaq7siqk/13/51ec755ca6f695096592b0335df2b6ec4ba279684d0ae63b9df0739442312162>) without delay. Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing the serious issues, available to download [here](<https://github.com/Onapsis/onapsis_icmad_scanner>).\n\n## No Known Related Breaches \u2013 Yet\n\n\u201cSince ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,\u201d Chung said.\n\nThe ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications \u2013 just one flavor of the business-critical apps that threat actors are actively targeting.\n\n\u201cAs we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,\u201d said Mariano Nunez, CEO and co-founder of Onapsis. \u201cThe discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as[ RECON](<https://onapsis.com/recon-sap-cyber-security-vulnerability>) and[ 10KBLAZE](<https://onapsis.com/resources/10kblaze>), are essential to protecting the business-critical applications that power 92 percent of the Forbes Global 2000.\u201d\n\nAs of Tuesday, SAP and Onapsis weren\u2019t aware of any breaches related to the trio of bugs, but that\u2019s clearly no reason to delay in applying the updates in[ Security Note 3123396 [CVE-2022-22536]](<https://launchpad.support.sap.com/>) to affected SAP applications as soon as possible, they said.\n\n## What to Do\n\nOnapsis has prepared this on-demand [recording](<https://hubs.ly/Q013KNxr0>) that details what to do to avoid any damage.\n\nAs well, at noon ET on Thursday, Onapsis\u2019 Nunez and SAP CISO Richard Puckett will provide a [threat briefing](<https://twitter.com/marianonunezdc/status/1491803623709310977>) about the ICMAD vulnerabilities.\n\n> Join SAP's [#CISO](<https://twitter.com/hashtag/CISO?src=hash&ref_src=twsrc%5Etfw>) Richard Puckett and me on the threat briefing about the [#icmad](<https://twitter.com/hashtag/icmad?src=hash&ref_src=twsrc%5Etfw>) vulnerabilities. Make sure you have all the info to protect your business-critical SAP applications. Today at 12pm ET. [#sap](<https://twitter.com/hashtag/sap?src=hash&ref_src=twsrc%5Etfw>) [#onapsis](<https://twitter.com/hashtag/onapsis?src=hash&ref_src=twsrc%5Etfw>) [#research](<https://twitter.com/hashtag/research?src=hash&ref_src=twsrc%5Etfw>) [#cisa](<https://twitter.com/hashtag/cisa?src=hash&ref_src=twsrc%5Etfw>) [#icm](<https://twitter.com/hashtag/icm?src=hash&ref_src=twsrc%5Etfw>) [#security](<https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/QObvbdN6sp>\n> \n> \u2014 Mariano Nunez (@marianonunezdc) [February 10, 2022](<https://twitter.com/marianonunezdc/status/1491803623709310977?ref_src=twsrc%5Etfw>)\n\n## Internally Facing Apps Also at Risk\n\nA vulnerability in ICM exposes the business-critical data enterprises depend on SAP to manage and safeguard, pointed out Casey Bisson, head of product and developer relations at code-security provider BluBracket. That goes for internal-facing apps as well as internet-facing ones, he said, given that ICM is at the core of practically all SAP-based web applications, and that includes apps that are internal-only.\n\n\u201cEven if the applications are internal-only, there\u2019s still risk when combined with other threats, including disgruntled employees and compromised network devices,\u201d he told Threatpost via email on Thursday. \u201cThis is exactly the vulnerability that threat actors like ransomware operators and state operatives are looking for.\u201d\n\nSAP servers are \u201cextremely rich targets,\u201d noted Aaron Turner, vice president of software-as-a-service (SaaS) posture at AI cybersecurity company Vectra. They have \u201csignificant\u201d access to material business processes and, generally, have multiple privileged credentials stored and used on those servers, he said via email.\n\n\u201cWith the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network, and also pivot into the cloud as most SAP customers have federated their legacy SAP workloads with cloud-based ones,\u201d Turner explained.\n\nHe compared the potential for exploitation to that presented by [Hafnium](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>): an advanced persistent threat (APT) believed to be linked to the Chinese government that Microsoft said has carried out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities known as [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>).\n\n\u201cJust as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same,\u201d Turner suggested. \u201cThe SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.\u201d\n\nMike Parkin, engineer at enterprise cyber-risk remediation SaaS provider Vulcan Cyber, told Threatpost that regardless of the current lack of reports of ICMAD exploits, \u201cthe potential risk is high.\u201d\n\nAll the more reason for organizations that rely on the affected components to deploy the patches and other relevant mitigations \u201cas soon as is practical,\u201d he advised.\n\n_021022 12:24 UPDATE: Added input from Casey Bisson, Aaron Turner and Mike Parkin._\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T16:39:04", "type": "threatpost", "title": "SAP to Give Threat Briefing on Uber-Severe \u2018ICMAD\u2019 Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-10T16:39:04", "id": "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "href": "https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-02-14T11:27:09", "description": "German enterprise software maker SAP has patched three critical vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP business applications. Customers are urged by both [SAP](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>) and [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) to address these critical vulnerabilities as soon as possible.\n\nOn February 8, SAP released 14 new security notes and security researchers from Onapsis, in coordination with SAP, released a [Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities>) describing SAP ICM critical vulnerabilities, [CVE-2022-22536](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22536>), [CVE-2022-22532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22532>), and [CVE-2022-22533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22533>). Onapsis also provides an [open source tool](<https://github.com/Onapsis/onapsis_icmad_scanner>) to identify if a system is vulnerable and needs to be patched.\n\n## CVE-2022-22536\n\nThe most important vulnerability in this report is CVE-2022-22536, one of the ICMAD vulnerabilities. The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server and is present in most SAP products. It is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.\n\nCVE-2022-22536 is a request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This vulnerability scored a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) rating of 10 out of 10. The high score is easy to explain. A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation of the vulnerability.\n\n## Other vulnerabilities\n\nSome of the other \u201chigh scorers\u201d are [Log4j](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) related vulnerabilities, and a security update for the browser control Google Chromium delivered with SAP Business Client. The other two ICMAD vulnerabilities identified as CVE-2022-22532 and CVE-2022-22533 received scores of 8.1 and 7.5, respectively.\n\n## Scan tool\n\nOn [GitHub](<https://github.com/Onapsis/onapsis_icmad_scanner>) Onapsis published a Python script that can be used to check if a SAP system is affected by CVE-2022-22536.\n\nA [Shodan scan](<https://www.shodan.io/search?query=server%3A+SAP+NetWeaver+Application+Server>) shows there are more than 5,000 SAP NetWeaver servers currently connected to the Internet and exposed to attacks until the patch is applied.\n\n## Mitigation\n\nSAP and Onapsis are currently unaware of any customer breaches that relate to these vulnerabilities, but strongly advise impacted organizations to immediately apply Security Note 3123396 (which covers CVE-2022-22536) to their affected SAP applications as soon as possible.\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) warned that customers who fail to do so will be exposing themselves to ransomware attacks, the theft of sensitive data, financial fraud, and disruption or halt of business operations.\n\nThe post [SAP customers are urged to patch critical vulnerabilities in multiple products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/sap-customers-are-urged-to-patch-critical-vulnerabilities-in-multiple-products/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T08:58:36", "type": "malwarebytes", "title": "SAP customers are urged to patch critical vulnerabilities in multiple products", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22532", "CVE-2021-22533", "CVE-2021-22536", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-10T08:58:36", "id": "MALWAREBYTES:A40F87C53D5487E9D81FB6A8F62AF633", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/sap-customers-are-urged-to-patch-critical-vulnerabilities-in-multiple-products/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
Design/Logic Flaw
