Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Customers Warned About Critical ‘ICMAD’ Vulnerabilities

As part of its February 2022 Security Patch Day, German software maker SAP has announced the release of 13 new security notes and updates for five other security notes.

As part of its February 2022 Security Patch Day, German software maker SAP has announced the release of 13 new security notes and updates for five other security notes.

The company also released an out-of-band note, for a total of 19 security notes, to which three other notes that were released or updated since the second Tuesday of January should be added.

Eight of the 22 security notes were rated ‘Hot News’ – the highest rating in the company’s books –, a record number for the company. However, four of these are updates for previously released security notes.

Three of the newly released Hot News security notes have a CVSS score of 10, while the fourth has a CVSS score of 9.1. All of the updated Hot News notes have a CVSS score of 10.

The most important of these vulnerabilities is CVE-2022-22536, a request smuggling and request concatenation issue in NetWeaver, Content Server and Web Dispatches that could be abused to compromise any NetWeaver-based Java or ABAP application running the default configuration.

The vulnerability can be exploited with a single request delivered through the commonly exposed HTTP(S) service, without authentication, business application security firm Onapsis explains. An attacker could steal the victim’s session and credentials in plain text.

Onapsis warns that CVE-2022-22536 can be exploited in combination with a high-severity HTTP request smuggling vulnerability (CVE-2022-22532) to compromise NetWeaver Java systems.

These and a vulnerability tracked as CVE-2022-22533 are collectively tracked as ICMAD because they reside in the Internet Communication Manager (ICM) component, which is used by many SAP applications.

Advertisement. Scroll to continue reading.

“CVE-2022-22536 is exploitable when an HTTP(S) proxy is sitting in between clients and the backend SAP system, which is the most common scenario for HTTP(S) access in any productive landscape. The Onapsis Research Labs validated that attackers could also exploit CVE-2022-22532 […] in the absence of a proxy. The combination of both vulnerabilities makes it possible to compromise SAP NetWeaver Java systems regardless of the use of proxies.” Onapsis says.

[READ: SAP Patches Log4Shell Vulnerability in More Applications]

The security company also warns of challenges associated with detecting attacks targeting ICMAD – as malicious requests are difficult to differentiate from benign requests – and underlines that successful exploitation leads to complete system takeover and does not require previous authentication.

By exploiting these vulnerabilities, attackers can steal user credentials and personal information, exfiltrate sensitive information, perform fraudulent financial transactions, disrupt critical systems and cause denial of service conditions, or change banking details in a financial system of record, Onapsis explains.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to apply the patches for the ICMAD flaws as soon as possible.

Two other Hot News security notes address remote code execution issues related to the use of Apache Log4j in SAP Commerce and Data Intelligence 3 (on-premise), respectively.

The last of this month’s Hot News security notes addresses a missing segregation of duties in Solution Manager Diagnostics Root Cause Analysis Tools (CVE-2022-22544, CVSS score of 9.1) that could allow an attacker with admin privileges to browse files and execute code on all Diagnostics Agents over the network, Onapsis explains.

Three of the updated Hot News security notes also deal with Log4j vulnerabilities, while the fourth brings Chromium release 97.0.4692.99 to SAP Business Client.

SAP also patched an SQL injection flaw in NetWeaver AS ABAP (Workplace Server) that could allow an attacker to execute crafted database queries, and updated a security note dealing with two vulnerabilities in the F0743 Create Single Payment application of S/4HANA.

Six medium-severity bugs were addressed this month in NetWeaver, ERP HCM, Business Objects Web Intelligence (BI Launchpad), 3D Visual Enterprise Viewer, Adaptive Server Enterprise, and S/4HANA. SAP also patched a low-severity denial of service in NetWeaver Application Server for ABAP and ABAP Platform.

Related: SAP Patches Log4Shell Vulnerability in 20 Applications

Related: Critical SAP Vulnerability Allows Supply Chain Attacks

Related: SAP Patches Critical Vulnerability in ABAP Platform Kernel

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.