Critical Vulnerability in the SAP Internet Communication Manager Component Could Lead to Full System Takeover, Patch Available

Share :

Background

On Tuesday, February 8, 2022, SAP patched a critical memory corruption vulnerability (CVE-2022-22536) in the SAP Internet Communication Manager (ICM) component that could lead to full system takeover without authentication or user interaction. The ICM component is present in most SAP products and is an important component in SAP NetWeaver application servers. The component connects SAP applications to the Internet and can serve as the SAP HTTP(S) server, a service that is exposed by default in SAP NetWeaver Java applications. Furthermore, the ICM component is part of the SAP Web Dispatcher and is a requirement to run web applications in the SAP ABAP programming language.

The vulnerable component can be found in SAP Web Dispatcher, SAP Content Server, and the SAP NetWeaver and ABAP Platform.

CVE ID

CVSS Score V3

CVSS Criticality

Type

Description

CVE-2022-22536

10.0

Critical

HTTP Request Smuggling

Memory Pipe Desynchronization

CVE-2022-22532

9.8

Critical

HTTP Request Smuggling

HTTP Request Smuggling on SAP NetWeaver Application Server Java

CVE-2022-22533

7.5

High

Use after Free & DoS

Memory Leak in Memory Pipe Management on SAP NetWeaver Application Server Java

Analysis

CVE-2022-22536

CVE-2022-22536 is the most critical of the collectively tracked “ICMAD” (Internet Communication Manager Advanced Desync) vulnerabilities that impact the SAP ICM component. Threat actors can successfully exploit this vulnerability using a single HTTP request if a proxy with a default configuration is placed between the ICM and the clients.

CVE-2022-22532 & CVE-2022-22533

The other ICMAD vulnerabilities, CVE-2022-22532 and CVE-2022-22533 only impact SAP AS Java systems. CVE-2022-22532 is a HTTP request smuggling vulnerability according to SAP in the ICM component which is not trivial to exploit and requires a more complex attack chain to successfully obtain remote code execution. CVE-2022-22533 is a memory leak in memory pipe management that could lead to a denial of service if successfully exploited.

SAP is unaware of known customer breaches resulting from the ICMAD vulnerabilities. Currently, there is no publicly available PoC or exploit code. However, threat actors actively target business-critical applications, such as SAP, to compromise organizations.

Solutions and Recommendations

Arctic Wolf recommends applying the latest SAP security patches to mitigate the ICMAD vulnerabilities and prevent potential future exploitation. Prioritize patching Internet-facing SAP applications first.

CVE-2022-22536 – Affected Products & Versions:

  • SAP Web Dispatcher – Versions 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87
  • SAP NetWeaver and ABAP Platform – Versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49
  • SAP Content Server – Version – 7.53

CVE-2022-22532 – Affected Products & Versions:

  • SAP NetWeaver Application Server Java – Versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53

CVE-2022-22533 – Affected Products & Versions:

  • SAP NetWeaver Application Server Java

CVE-2022-22536 Security Note: 3123396

CVE-2022-22532 Security Note: 3123427

CVE-2022-22533 Security Note: Security note has not been published (as of February 25,2022)

References

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Steven Campbell

Steven Campbell

Steven Campbell is a Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter