Background
On Tuesday, February 8, 2022, SAP patched a critical memory corruption vulnerability (CVE-2022-22536) in the SAP Internet Communication Manager (ICM) component that could lead to full system takeover without authentication or user interaction. The ICM component is present in most SAP products and is an important component in SAP NetWeaver application servers. The component connects SAP applications to the Internet and can serve as the SAP HTTP(S) server, a service that is exposed by default in SAP NetWeaver Java applications. Furthermore, the ICM component is part of the SAP Web Dispatcher and is a requirement to run web applications in the SAP ABAP programming language.
The vulnerable component can be found in SAP Web Dispatcher, SAP Content Server, and the SAP NetWeaver and ABAP Platform.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2022-22536 |
10.0 |
Critical |
HTTP Request Smuggling |
Memory Pipe Desynchronization |
CVE-2022-22532 |
9.8 |
Critical |
HTTP Request Smuggling |
HTTP Request Smuggling on SAP NetWeaver Application Server Java |
CVE-2022-22533 |
7.5 |
High |
Use after Free & DoS |
Memory Leak in Memory Pipe Management on SAP NetWeaver Application Server Java |
Analysis
CVE-2022-22536
CVE-2022-22536 is the most critical of the collectively tracked “ICMAD” (Internet Communication Manager Advanced Desync) vulnerabilities that impact the SAP ICM component. Threat actors can successfully exploit this vulnerability using a single HTTP request if a proxy with a default configuration is placed between the ICM and the clients.
CVE-2022-22532 & CVE-2022-22533
The other ICMAD vulnerabilities, CVE-2022-22532 and CVE-2022-22533 only impact SAP AS Java systems. CVE-2022-22532 is a HTTP request smuggling vulnerability according to SAP in the ICM component which is not trivial to exploit and requires a more complex attack chain to successfully obtain remote code execution. CVE-2022-22533 is a memory leak in memory pipe management that could lead to a denial of service if successfully exploited.
SAP is unaware of known customer breaches resulting from the ICMAD vulnerabilities. Currently, there is no publicly available PoC or exploit code. However, threat actors actively target business-critical applications, such as SAP, to compromise organizations.
Solutions and Recommendations
Arctic Wolf recommends applying the latest SAP security patches to mitigate the ICMAD vulnerabilities and prevent potential future exploitation. Prioritize patching Internet-facing SAP applications first.
CVE-2022-22536 – Affected Products & Versions:
- SAP Web Dispatcher – Versions 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87
- SAP NetWeaver and ABAP Platform – Versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49
- SAP Content Server – Version – 7.53
CVE-2022-22532 – Affected Products & Versions:
- SAP NetWeaver Application Server Java – Versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53
CVE-2022-22533 – Affected Products & Versions:
- SAP NetWeaver Application Server Java
CVE-2022-22536 Security Note: 3123396
CVE-2022-22532 Security Note: 3123427
CVE-2022-22533 Security Note: Security note has not been published (as of February 25,2022)
References
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.