CISA added SAP flaw to its Known Exploited Vulnerabilities Catalog

Pierluigi Paganini August 19, 2022

US CISA added a critical SAP flaw to its Known Exploited Vulnerabilities Catalog after its details were disclosed at the Black Hat and Def Con conferences.

The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical SAP vulnerability, tracked as CVE-2022-22536, to its Known Exploited Vulnerabilities Catalog a few days after researchers shared details about the issue at the Black Hat and Def Con hacker conferences.

CVE-2022-22536 is a memory pipes (MPI) desynchronization vulnerability named Internet Communication Manager Advanced Desync (ICMAD).

Internet Communication Manager Advanced Desync (ICMAD) is a memory pipes (MPI) desynchronization vulnerability tracked as CVE-2022-22536. The issue was disclosed in February 2022, an unauthenticated remote attacker could exploit this issue by sending a simple HTTP request to a vulnerable instance and take over it. The flaw received a CVSSv3 score of 10.0.

The US agency warned that this issue could expose organizations to a broad range of attacks, including data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations.

“On February 8, 2022, SAP released security updates to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management.” reads the advisory published by CISA.

In February, security researchers from Onapsis, in coordination with SAP, published a Threat Report that provides technical details about three critical vulnerabilities (CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533) that affected Internet Communication Manager (ICM), which is a core component of SAP business applications.

“The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of an SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.” reads the Threat Report.

“Malicious actors can easily leverage the most critical vulnerability (CVSSv3 10.0) in unprotected systems; the exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications.”

Onapsis also released an open-source tool, named “onapsis icmad scanner to scan systems for ICMAD vulnerabilities.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

Last week, Onapsis researcher Martin Doyhenard shared details of the issue at the Black Hat conference (on August 10) and at the Def Con conference (on August 13). The expert presented how to exploit inter-process communication in SAP’s HTTP server.

“This paper will demonstrate how to leverage two memory corruption vulnerabilities found in SAP’s proprietary HTTP Server, using high level protocol exploitation techniques.” reads the research paper published by Onapsis. “Both, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet. By escalating an error in the HTTP request handling process, it was possible to Desynchronize ICM data buffers and hijack every user’s account with advanced HTTP Smuggling”

CISA orders federal agencies to fix both issues by September 8, 2022.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SAP)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment