Warning: 3 critical vulnerabilities in SAP Netweaver Application Server

Image
Decorative image
Published : 10/02/2022

Reference:
Advisory #2022-003

Version:
1.0

Affected software:
SAP Internet Communication Manager (ICM), a component of an SAP NetWeaver Application

Type:
Remote Code Execution and Denial-of-Service

CVE/CVSS:
 

  • CVE-2022-22536 | CVSS 10.0 | Vulnerable for request smuggling and request concatenation
  • CVE-2022-22532 |CVSS  8.1   |  Improper shared memory buffer handling
  • CVE-2022-22533 | CVSS 7.5   | Memory leak in memory pipe management that could lead to denial of service
 

Sources

 https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022

Risks

  • An unauthenticated remote attacker could exploit CVE-2022-22536, a memory pipes (MPI) desynchronization vulnerability, using a simple HTTP request and achieve full system takeover;
  • An attacker could exploit CVE-2022-22533, a memory leak in the memory pipe management, using specially crafted HTTP(S) requests to consume all MPI resources.
  • CVE-2022-22532, an HTTP request smuggling vulnerability in the ICM component, does not require authentication or user interaction to exploit and could lead to remote code execution;

Description

On February 8, SAP disclosed several vulnerabilities in the Internet Communication Manager (ICM), a critical component of its NetWeaver Application Server. SAP applications manage critical business processes. SAP Netweaver is an application and integration server that acts as the software stack for most of SAP’s applications, including solutions for critical business functions such as enterprise resource planning, customer relationship management and supply chain management.

Onapsis released a threat report regarding the vulnerabilities they discovered within the SAP ICM, SAP included updates for these flaws in their most recent patch day. The Cybersecurity and Infrastructure Security Agency issued an immediate warning, stating that exploitation of these vulnerabilities could result in theft of sensitive data, fraud, disruption of operations and ransomware.

Recommended Actions

The Centre for Cyber security Belgium recommends installing updates for the SAP Netweaver Server with the highest priority. Updates can be found on: SAP Advisory.

Onapsis also released an open-source tool to identify vulnerable systems within your environment.

References

Onapsis Scanner Scripthttps://github.com/Onapsis/onapsis_icmad_scanner
Sap Community Wikihttps://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
Tenablehttps://www.tenable.com/blog/cve-2022-22536-sap-patches-internet-communication-manager-advanced-desync-icmad
The Recordhttps://therecord.media/cisa-and-sap-warn-about-major-vulnerability/