SAP has released a patch for impacted systems and Onapsis provides free open-source vulnerability scanning tool to help SAP customers immediately address vulnerabilities
Onapsis, the leader in business-critical application cybersecurity and compliance, announced that the Onapsis Research Labs and SAP Product Security Response Team collaborated to discover and patch critical network exploitable vulnerabilities that affect Internet Communication Manager (ICM), a core component of SAP business applications. SAP has promptly patched these vulnerabilities.
“It is through collaboration with key partners like Onapsis that SAP can provide the most secure environment possible for our customers. We strongly encourage all SAP customers to protect their businesses by applying the relevant SAP security patches as soon as possible.”
Both SAP and Onapsis advise impacted organizations to prioritize applying the Security Notes 3123396 and 3123427 to their affected SAP applications immediately. If exploited, these vulnerabilities, dubbed “ICMAD,” enable attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications.
Top iTechnology Cloud News: Alithya Implements Oracle Cloud ERP and HCM for NorthBay Healthcare
The individual ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 — the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) is issuing a Current Activity Alert relating to these vulnerabilities.
“These vulnerabilities can be exploited over the internet and without the need for attackers to be authenticated in the target systems, which makes them very critical,” said Mariano Nunez, CEO and Co-founder of Onapsis. “We applaud SAP for their rapid response and working with Onapsis Research Labs after being notified by our experts. From swiftly issuing patches to working with our team to test the efficacy of those patches to proactively notifying impacted customers and the broader security community — SAP is setting the bar for what vulnerability disclosure and response looks like and how working with trusted partners like Onapsis better protects its customers.”
Onapsis Research Labs’ thorough investigation of HTTP Smuggling over the last year led to its discovery of the vulnerabilities. Threat actors can send malicious payloads leveraging these HTTP Smuggling techniques and successfully exploit SAP Java or ABAP systems with an HTTP request that is indistinguishable from a valid message. These vulnerabilities can be exploited in affected systems over the internet and pre-authentication, meaning they are not mitigated by multi-factor authentication controls.
“SAP has partnered with Onapsis to maintain secure solutions for our global customer base,” said Richard Puckett, Chief Information Security Officer for SAP. “It is through collaboration with key partners like Onapsis that SAP can provide the most secure environment possible for our customers. We strongly encourage all SAP customers to protect their businesses by applying the relevant SAP security patches as soon as possible.”
Top iTechnology Networking News: GrubMarket Acquires Supply Chain Software Provider Nova Libra
What Are the ICMAD Vulnerabilities?
ICM is the SAP component that enables HTTP(S) communications in SAP systems. Because ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk.
Recommendations to Remediate
SAP and Onapsis are currently not aware of known customer breaches related to these vulnerabilities, but strongly advise impacted organizations to prioritize applying the Security Notes 3123396 and 3123427 to their affected SAP applications immediately.
Onapsis clients who have Onapsis Assess and/or Onapsis Defend products are already protected against these critical vulnerabilities.
Onapsis has also released a free open-source tool that organizations can use to scan for affected applications across their SAP landscape. It is available for download here.
“As we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,” said Nunez. “The discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as RECON and 10KBLAZE, are essential to protecting the business-critical applications that power 92% of the Forbes Global 2000. I am proud of the work our researchers have done to bring these vulnerabilities to light so they could be mitigated and commend SAP for their response and collaboration.”
SAP recommends its customers patch an impacted system immediately. Patches are released on SAP’s Patch Tuesday, the second Tuesday of each month. To find out more visit SAP’s Patch Day WIKI.
Top iTechnology Digital Transformation News: IDC MarketScape names Ricoh a Leader in Worldwide Cloud MPS Vendor Assessment
[To share your insights with us, please write to sghosh@martechseries.com]