Pierluigi Paganini February 09, 2022

The US CISA warns to address a severe security vulnerability dubbed ICMAD impacting SAP business apps using ICM..

Internet Communication Manager Advanced Desync (ICMAD) is a memory pipes (MPI) desynchronization vulnerability tracked as CVE-2022-22536.

An unauthenticated remote attacker could exploit this issue by sending a simple HTTP request to a vulnerable instance and take over it. The flaw received a CVSSv3 score of 10.0.

The US Cybersecurity and Infrastructure Security Agency (CISA) warnes admins to address the ICMAD flaw affecting SAP business apps using Internet Communication Manager (ICM).

The US agency warns that this issue could expose organizations to a broad range of attacks, including data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations.

“On February 8, 2022, SAP released security updates to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management.” reads the advisory published by CISA.

Security researchers from Onapsis, in coordination with SAP, published a Threat Report that provides technical details about three critical vulnerabilities (CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533) that affected Internet Communication Manager (ICM), which is a core component of SAP business applications.

“The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of an SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.” reads the Threat Report.

“Malicious actors can easily leverage the most critical vulnerability (CVSSv3 10.0) in unprotected systems; the exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications.”

Onapsis also released an open-source tool, named “onapsis icmad scanner“ to scan systems for ICMAD vulnerabilities.

The good news is that SAP is not aware of any customers’ networks compromised by exploiting the ICMAD vulnerabilities.

“SAP and Onapsis are currently unaware of known customer breaches that relate to these vulnerabilities, but strongly advises impacted organizations to immediately apply Security Note 3123396 [CVE-2022-22536] to their affected SAP applications as soon as possible.” said SAP’s Director of Security Response Vic Chung.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SAP)

[adrotate banner=”5″]

[adrotate banner=”13″]