Security Experts:

SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.

CISA added seven vulnerabilities to its catalog on Thursday and instructed federal agencies to address them by September 8. For several of the newly added security holes, there do not appear to be any public reports describing exploitation in the wild, but the cybersecurity agency clarified in the past that it only adds CVEs to its catalog if it has reliable information about malicious exploitation.

The SAP vulnerability added to CISA’s list, tracked as CVE-2022-22536, was patched by the vendor in February in NetWeaver Application Server ABAP, NetWeaver Application Server Java, ABAP Platform, Content Server 7.53 and Web Dispatcher.

Onapsis, a company that specializes in protecting business-critical applications, warned at the time that CVE-2022-22536 and CVE-2022-22532 could be exploited together, but for the time being there is no mention of CVE-2022-22532 also being exploited.

The two memory corruption vulnerabilities were detailed by Onapsis researcher Martin Doyhenard on August 10 at the Black Hat conference and on August 13 at the Def Con conference in a presentation focusing on exploiting inter-process communication in SAP’s HTTP server. Onapsis also released an 18-page paper detailing its findings.

“Both, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet,” Doyhenard wrote in the research paper.

There does not appear to be any public information describing the attacks exploiting CVE-2022-22536, but CISA warned in February that exploitation could lead to theft of sensitive data, financial fraud, disruption of mission-critical business processes, or ransomware deployment.

“We have seen an increase in the threat activity, particularly related to CVE-2022-22536, over the past few days, and while we continue working on it, it is too early to make any assessment about attribution. Exploitation of this vulnerability is valuable to attackers because it can be used to steal user sessions, ultimately compromising any business application,” JP Perez-Etchegoyen, CTO of Onapsis, told SecurityWeek.

“Onapsis coordinated with SAP, CISA, and other CERT(s) so all SAP customers had the necessary information to understand and manage this critical risk, even releasing an open-source scanner to automatically assess if systems were vulnerable. This underlines the need to continually assess SAP systems for vulnerabilities with real-time threat intelligence,” he added.

CISA also added to its Known Exploited Vulnerabilities Catalog two flaws affecting Microsoft products for which there do not appear to be any public reports describing exploitation in the wild.

One of them, CVE-2022-21971, is a Windows remote code execution vulnerability that Microsoft patched in February. Microsoft’s advisory currently says it has not been exploited or publicly disclosed and assigns it an exploitability rating of ‘exploitation less likely’. However, a proof-of-concept (PoC) exploit has been available since at least March.

The second Microsoft vulnerability, CVE-2022-26923, is a privilege escalation issue affecting Active Directory Domain Services. Microsoft released a patch in May and PoC exploits were made available days later.

CISA has also added to its ‘must patch’ list the two iOS and macOS vulnerabilities addressed by Apple this week, a Chrome flaw fixed by Google this week, and a 2017 vulnerability affecting Palo Alto Networks appliances (CVE-2017-15944).

*updated with information from Onapsis

Related: Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw

Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks

Related: CISA Says 'HiveNightmare' Windows Vulnerability Exploited in Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.