Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.

CISA added seven vulnerabilities to its catalog on Thursday and instructed federal agencies to address them by September 8. For several of the newly added security holes, there do not appear to be any public reports describing exploitation in the wild, but the cybersecurity agency clarified in the past that it only adds CVEs to its catalog if it has reliable information about malicious exploitation.

The SAP vulnerability added to CISA’s list, tracked as CVE-2022-22536, was patched by the vendor in February in NetWeaver Application Server ABAP, NetWeaver Application Server Java, ABAP Platform, Content Server 7.53 and Web Dispatcher.

Onapsis, a company that specializes in protecting business-critical applications, warned at the time that CVE-2022-22536 and CVE-2022-22532 could be exploited together, but for the time being there is no mention of CVE-2022-22532 also being exploited.

The two memory corruption vulnerabilities were detailed by Onapsis researcher Martin Doyhenard on August 10 at the Black Hat conference and on August 13 at the Def Con conference in a presentation focusing on exploiting inter-process communication in SAP’s HTTP server. Onapsis also released an 18-page paper detailing its findings.

“Both, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet,” Doyhenard wrote in the research paper.

There does not appear to be any public information describing the attacks exploiting CVE-2022-22536, but CISA warned in February that exploitation could lead to theft of sensitive data, financial fraud, disruption of mission-critical business processes, or ransomware deployment.

“We have seen an increase in the threat activity, particularly related to CVE-2022-22536, over the past few days, and while we continue working on it, it is too early to make any assessment about attribution. Exploitation of this vulnerability is valuable to attackers because it can be used to steal user sessions, ultimately compromising any business application,” JP Perez-Etchegoyen, CTO of Onapsis, told SecurityWeek.

Advertisement. Scroll to continue reading.

“Onapsis coordinated with SAP, CISA, and other CERT(s) so all SAP customers had the necessary information to understand and manage this critical risk, even releasing an open-source scanner to automatically assess if systems were vulnerable. This underlines the need to continually assess SAP systems for vulnerabilities with real-time threat intelligence,” he added.

CISA also added to its Known Exploited Vulnerabilities Catalog two flaws affecting Microsoft products for which there do not appear to be any public reports describing exploitation in the wild.

One of them, CVE-2022-21971, is a Windows remote code execution vulnerability that Microsoft patched in February. Microsoft’s advisory currently says it has not been exploited or publicly disclosed and assigns it an exploitability rating of ‘exploitation less likely’. However, a proof-of-concept (PoC) exploit has been available since at least March.

The second Microsoft vulnerability, CVE-2022-26923, is a privilege escalation issue affecting Active Directory Domain Services. Microsoft released a patch in May and PoC exploits were made available days later.

CISA has also added to its ‘must patch’ list the two iOS and macOS vulnerabilities addressed by Apple this week, a Chrome flaw fixed by Google this week, and a 2017 vulnerability affecting Palo Alto Networks appliances (CVE-2017-15944).

*updated with information from Onapsis

Related: Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw

Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks

Related: CISA Says ‘HiveNightmare’ Windows Vulnerability Exploited in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.