Prompt Patching Required to Fix Critical SAP Vulnerabilities

The German business software firm SAP has launched patches to correct a set of critical vulnerabilities that impact SAP applications that utilize the SAP Internet Communications Manager (ICM). Researchers at Onapsis Research Labs identified the vulnerabilities, which were called the vulnerabilities ICMAD (Internet Communications Manager Advanced Desync). All three vulnerabilities can be exploited to gain remote code execution, which would permit remote attackers to fully breach vulnerable SAP programs.

The vulnerabilities have an effect on the following SAP software:

SAP NetWeaver AS ABAP
SAP Web Dispatcher
SAP Content Server 7.53
ABAP Platform
SAP NetWeaver AS Java

The vulnerabilities may be taken advantage of to steal victim sessions and credentials in plain text, modify the behavior of programs, acquire PHI and sensitive business data, and cause denial-of-service. CVE-2022-22536 is the most severe vulnerability of the three and was given the maximum CVSS severity score of 10/10. Onapsis stated that an unauthenticated attacker could quickly exploit the vulnerability on SAP programs in the default configuration by sending a request via the frequently exposed HTTP(S) service.

Whenever business software allows HTTP(S) access, the most frequent configuration is for an HTTP(S) proxy to be sitting between clients and the backend SAP system, and this setting permits the vulnerability to be exploited. The second vulnerability, tracked as CVE-2022-22532 (CVSS 8.1) may also be exploited in this configuration, and also in the absence of proxies. The third vulnerability monitored as CVE-2022-22533 (No CVSS score yet) could likewise result in remote code execution.

The vulnerabilities were discovered while studying HTTP smuggling strategies, which the researchers learned may be leveraged utilizing requests that closely reflect genuine HTTP requests. Therefore, these attacks will be hard for security teams to identify. Additionally, the vulnerabilities are really easy to exploit.

SAP applications are substantially utilized by businesses, which include the healthcare sector. When vulnerabilities are found, hackers can quickly exploit them to obtain access to programs to steal information or cripple business systems. Quite often, the first exploits of SAP vulnerabilities happen within 72 hours of releasing patches.

SAP applications are employed to manage business processes and in healthcare, the applications frequently consist of protected health information (PHI). Vulnerabilities in SAP software could for that reason be exploited to steal patient information.

SAP and Onapsis have advised all companies employing vulnerable SAP applications to use the patches right away to avoid exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has additionally issued an alert regarding the vulnerabilities urging prompt patching. Firms need to prioritize patching affected systems that are open to untrusted networks, like the Internet. Onapsis has introduced a free, open-source scanning tool that businesses can use to discover if they are prone to ICMAD exploits.

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.