Security researchers, enterprise software maker SAP, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings over a critical vulnerability affecting Internet Communication Manager (ICM), a core component of SAP business applications that enables HTTPS communications.
Tracked as CVE-2022-22536, the vulnerability allows attackers to use malformed packets to trick SAP servers into exposing sensitive data without needing to authenticate, according to Onapsis Research Labs. A security patch is available and organisations are urged to update as soon as possible.
Exploitation possible via simple HTTP request
In a report, Onapsis stated that the vulnerability can be exploited via an attack known as HTTP request smuggling, which can be used to steal credentials and session information from unpatched SAP servers even if servers are placed behind proxies. “A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation,” it added.
A post on SAP’s website confirmed the severity of the issue, which was announced at the same time as two other, less serious SAP vulnerabilities tracked as CVE-2022-22532 and CVE-2022-22533. “If your organisation’s program was exploited, these vulnerabilities, a.k.a. “ICMAD,” will enable attackers to execute serious malicious activity on SAP users, business information, and processes,” SAP said.
Security patch available, ransomware and data theft among exploit risks
SAP released a security patch for CVE-2022-22536 on February 9, and while the firm stated it is not aware of any related customer breaches, businesses should update SAP applications as soon as possible due to the vast use of the vulnerable component and potential for exploitation.
“As we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,” commented Mariano Nunez, Onapsis CEO and co-founder.
CISA warned that impacted organisations could experience theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and halt of operations if targeted.