Feb 11, 2022
58 Views
0 0

SAP Patches Severe ‘ICMAD’ Bugs

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more.
There’s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.
The vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in Security Note 3123396, received the tip-top risk score – a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.

The issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory about them this week. And, in a blog post, SAP director of security response Vic Chung confirmed the severity of Onapsis’ findings. He said that if they aren’t remediated, the bugs – aka “ICMAD” – “will enable attackers to execute serious malicious activity on SAP users, business information and processes.”
Specifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:
Onapsis, which specializes in security for SAP, Oracle, Salesforce and other software-as-a-service (SaaS) platforms, joined SAP in coordinating the release of a Threat Report describing the critical vulnerabilities on Tuesday.
The firm estimated that there were tens of thousands – approximately 40,000 – SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.
SAP and Onapsis urged customers to apply both Security Note 3123396 and 3123427 without delay. Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing the serious issues, available to download here.
“Since ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,” Chung said.
The ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications – just one flavor of the business-critical apps that threat actors are actively targeting.
“As we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,” said Mariano Nunez, CEO and co-founder of Onapsis. “The discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as RECON and 10KBLAZE, are essential to protecting the business-critical applications that power 92 percent of the Forbes Global 2000.”
As of Tuesday, SAP and Onapsis weren’t aware of any breaches related to the trio of bugs, but that’s clearly no reason to delay in applying the updates in Security Note 3123396 [CVE-2022-22536] to affected SAP applications as soon as possible, they said.
021022 13:28 UPDATE: An Onapsis spokesperson told Threatpost that as of Thursday, the team still hadn’t seen either exploitation of the ICMAD flaws nor a proof of concept but that, unsurprisingly, they’ve seen probes scanning for the vulnerability.
Onapsis has prepared this on-demand recording that details what to do to avoid any damage.
As well, at noon ET on Thursday, Onapsis’ Nunez and SAP CISO Richard Puckett will provide a threat briefing about the ICMAD vulnerabilities.
Join SAP's #CISO Richard Puckett and me on the threat briefing about the #icmad vulnerabilities. Make sure you have all the info to protect your business-critical SAP applications. Today at 12pm ET. #sap #onapsis #research #cisa #icm #security https://t.co/QObvbdN6sp
— Mariano Nunez (@marianonunezdc) February 10, 2022

A vulnerability in ICM exposes the business-critical data enterprises depend on SAP to manage and safeguard, pointed out Casey Bisson, head of product and developer relations at code-security provider BluBracket. That goes for internal-facing apps as well as internet-facing ones, he said, given that ICM is at the core of practically all SAP-based web applications, and that includes apps that are internal-only.
“Even if the applications are internal-only, there’s still risk when combined with other threats, including disgruntled employees and compromised network devices,” he told Threatpost via email on Thursday. “This is exactly the vulnerability that threat actors like ransomware operators and state operatives are looking for.”
SAP servers are “extremely rich targets,” noted Aaron Turner, vice president of software-as-a-service (SaaS) posture at AI cybersecurity company Vectra. They have “significant” access to material business processes and, generally, have multiple privileged credentials stored and used on those servers, he said via email.
“With the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network, and also pivot into the cloud as most SAP customers have federated their legacy SAP workloads with cloud-based ones,” Turner explained.
He compared the potential for exploitation to that presented by Hafnium: an advanced persistent threat (APT) believed to be linked to the Chinese government that Microsoft said has carried out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities known as ProxyLogon.
“Just as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same,” Turner suggested. “The SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.”
Mike Parkin, engineer at enterprise cyber-risk remediation SaaS provider Vulcan Cyber, told Threatpost that regardless of the current lack of reports of ICMAD exploits, “the potential risk is high.”
All the more reason for organizations that rely on the affected components to deploy the patches and other relevant mitigations “as soon as is practical,” he advised.
021022 12:24 UPDATE: Added input from Casey Bisson, Aaron Turner and Mike Parkin.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
The Maze gang are purportedly never going back to ransomware and have destroyed all of their ransomware source code, said somebody claiming to be the developer.
The attacks, which lead to 2FA defeat and account takeover, have accelerated by several hundred percent in one year, leading to thousands of drained bank accounts.
The plug-in’s default settings spawned flaws that could allow for full site takeover but have since been fixed in an update that users should immediately install, Wordfence researchers said.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
RT @CHEN_PR: While there were no critical bugs in this month’s #PatchTuesday, @virsecsystems‘s Danny Kim noted that #Microsoft did republis…
2 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.