BOSTON, February 8, 2022 – Onapsis, the leader in business-critical application cybersecurity and compliance, today announced that the Onapsis Research Labs and SAP Product Security Response Team collaborated to discover and patch critical network exploitable vulnerabilities that affect Internet Communication Manager (ICM), a core component of SAP business applications. SAP has promptly patched these vulnerabilities.
Both SAP and Onapsis advise impacted organizations to prioritize applying the Security Notes 3123396 and 3123427 to their affected SAP applications immediately. If exploited, these vulnerabilities, dubbed “ICMAD,” enable attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications.
The individual ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 — the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a Current Activity Alert relating to these vulnerabilities.
“These vulnerabilities can be exploited over the internet and without the need for attackers to be authenticated in the target systems, which makes them very critical,” said Mariano Nunez, CEO and Co-founder of Onapsis. “We applaud SAP for their rapid response and working with Onapsis Research Labs after being notified by our experts. From swiftly issuing patches to working with our team to test the efficacy of those patches to proactively notifying impacted customers and the broader security community — SAP is setting the bar for what vulnerability disclosure and response looks like and how working with trusted partners like Onapsis better protects its customers.”
Onapsis Research Labs’ thorough investigation of HTTP Smuggling over the last year led to its discovery of the vulnerabilities. Threat actors can send malicious payloads leveraging these HTTP Smuggling techniques and successfully exploit SAP Java or ABAP systems with an HTTP request that is indistinguishable from a valid message. These vulnerabilities can be exploited in affected systems over the internet and pre-authentication, meaning they are not mitigated by multi-factor authentication controls.
“SAP has partnered with Onapsis to maintain secure solutions for our global customer base,” said Richard Puckett, Chief Information Security Officer for SAP. “It is through collaboration with key partners like Onapsis that SAP can provide the most secure environment possible for our customers. We strongly encourage all SAP customers to protect their businesses by applying the relevant SAP security patches as soon as possible.”
What Are the ICMAD Vulnerabilities?
ICM is the SAP component that enables HTTP(S) communications in SAP systems. Because ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk.
Recommendations to Remediate
SAP and Onapsis are currently not aware of known customer breaches related to these vulnerabilities, but strongly advise impacted organizations to prioritize applying the Security Notes 3123396 and 3123427 to their affected SAP applications immediately.
Onapsis clients who have Onapsis Assess and/or Onapsis Defend products are already protected against these critical vulnerabilities.
Onapsis has also released a free open-source tool that organizations can use to scan for affected applications across their SAP landscape. It is available for download here.
“As we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,” said Nunez. “The discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as RECON and 10KBLAZE, are essential to protecting the business-critical applications that power 92% of the Forbes Global 2000. I am proud of the work our researchers have done to bring these vulnerabilities to light so they could be mitigated and commend SAP for their response and collaboration.”
SAP recommends its customers patch an impacted system immediately. Patches are released on SAP’s Patch Tuesday, the second Tuesday of each month. To find out more visit SAP’s Patch Day WIKI.
To learn about these vulnerabilities, join the upcoming webinar and download Onapsis’ latest threat report. For more information about Onapsis Research Labs and details about its research, visit: https://onapsis.com/onapsis-platform/research-labs
About Onapsis
Onapsis protects the business-critical applications that run the global economy, from the core to the cloud. The company’s cybersecurity and compliance solution offering, The Onapsis Platform, uniquely delivers vulnerability management, threat detection and response, change assurance, and continuous compliance for business-critical applications from leading vendors such as SAP, Oracle, Salesforce, and other SaaS platforms.
Onapsis is headquartered in Boston, MA, with offices in Heidelberg, Germany and Buenos Aires, Argentina, and proudly serves more than 300 of the world’s leading brands, including 20% of the Fortune 100, 6 of the top 10 automotive companies, 5 of the top 10 chemical companies, 4 of the top 10 technology companies, and 3 of the top 10 oil and gas companies.
The Onapsis Platform is powered by the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in business-critical applications. The reach of our threat research and platform is broadened through leading consulting and audit firms such as Accenture, Deloitte, IBM, PwC, and Verizon — making Onapsis solutions the standard in helping organizations protect their cloud, hybrid, and on-premises business-critical information and processes. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com.