SAP Patches Severe ‘ICMAD’ Bugs

SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more.

There’s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.

The vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in Security Note 3123396, received the tip-top risk score – a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.

Infosec Insiders Newsletter

The issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory about them this week. And, in a blog post, SAP director of security response Vic Chung confirmed the severity of Onapsis’ findings. He said that if they aren’t remediated, the bugs – aka “ICMAD” – “will enable attackers to execute serious malicious activity on SAP users, business information and processes.”

Specifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:

  • Hijack of user identities, theft of all user credentials and personal information
  • Exfiltration of sensitive or confidential corporate information
  • Fraudulent transactions and financial harm
  • Change of banking details in a financial system of record
  • Denial-of-service attack that disrupts critical systems for the business

Onapsis, which specializes in security for SAP, Oracle, Salesforce and other software-as-a-service (SaaS) platforms, joined SAP in coordinating the release of a Threat Report describing the critical vulnerabilities on Tuesday.

The firm estimated that there were tens of thousands – approximately 40,000 – SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.

SAP and Onapsis urged customers to apply both Security Note 3123396 and 3123427 without delay. Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing the serious issues, available to download here.

No Known Related Breaches – Yet

“Since ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,” Chung said.

The ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications – just one flavor of the business-critical apps that threat actors are actively targeting.

“As we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,” said Mariano Nunez, CEO and co-founder of Onapsis. “The discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as RECON and 10KBLAZE, are essential to protecting the business-critical applications that power 92 percent of the Forbes Global 2000.”

As of Tuesday, SAP and Onapsis weren’t aware of any breaches related to the trio of bugs, but that’s clearly no reason to delay in applying the updates in Security Note 3123396 [CVE-2022-22536] to affected SAP applications as soon as possible, they said.

021022 13:28 UPDATE: An Onapsis spokesperson told Threatpost that as of Thursday, the team still hadn’t seen either exploitation of the ICMAD flaws nor a proof of concept but that, unsurprisingly, they’ve seen probes scanning for the vulnerability.

What to Do

Onapsis has prepared this on-demand recording that details what to do to avoid any damage.

As well, at noon ET on Thursday, Onapsis’ Nunez and SAP CISO Richard Puckett will provide a threat briefing about the ICMAD vulnerabilities.

Internally Facing Apps Also at Risk

A vulnerability in ICM exposes the business-critical data enterprises depend on SAP to manage and safeguard, pointed out Casey Bisson, head of product and developer relations at code-security provider BluBracket. That goes for internal-facing apps as well as internet-facing ones, he said, given that ICM is at the core of practically all SAP-based web applications, and that includes apps that are internal-only.

“Even if the applications are internal-only, there’s still risk when combined with other threats, including disgruntled employees and compromised network devices,” he told Threatpost via email on Thursday. “This is exactly the vulnerability that threat actors like ransomware operators and state operatives are looking for.”

SAP servers are “extremely rich targets,” noted Aaron Turner, vice president of software-as-a-service (SaaS) posture at AI cybersecurity company Vectra. They have “significant” access to material business processes and, generally, have multiple privileged credentials stored and used on those servers, he said via email.

“With the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network, and also pivot into the cloud as most SAP customers have federated their legacy SAP workloads with cloud-based ones,” Turner explained.

He compared the potential for exploitation to that presented by Hafnium: an advanced persistent threat (APT) believed to be linked to the Chinese government that Microsoft said has carried out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities known as ProxyLogon.

“Just as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same,” Turner suggested. “The SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.”

Mike Parkin, engineer at enterprise cyber-risk remediation SaaS provider Vulcan Cyber, told Threatpost that regardless of the current lack of reports of ICMAD exploits, “the potential risk is high.”

All the more reason for organizations that rely on the affected components to deploy the patches and other relevant mitigations “as soon as is practical,” he advised.

021022 12:24 UPDATE: Added input from Casey Bisson, Aaron Turner and Mike Parkin.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles