Onapsis, SAP Identify, Patch Critical Vulnerabilities in SAP ApplicationsOnapsis, SAP Identify, Patch Critical Vulnerabilities in SAP Applications
The first vulnerability received the highest possible risk score, a 10 out of 10.
February 8, 2022
Onapsis and SAP have discovered three critical network exploitable vulnerabilities within Internet Communication Manager (ICM). It’s a core component of SAP business applications.
The first vulnerability received the highest possible risk score, a 10 out of 10. The other two received scores of 8.1 and 7.5, respectively. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing an alert relating to these vulnerabilities.
These critical vulnerabilities could impact an estimated 40,000 SAP customers if they don’t install the patch.
Exploitation of the vulnerabilities, dubbed ICMAD, could allow an attacker to perform serious malicious activities. Those include:
Hijacking of user identities, and theft of all user credentials and personal information.
Exfiltration of sensitive or confidential corporate information.
Fraudulent transactions and financial harm.
Change of banking details in a financial system of record.
An internal denial-of-service attack that disrupts critical systems for the business.
SAP has patched these vulnerabilities. Both SAP and Onapsis advise impacted organizations to prioritize applying the fixes to their affected SAP applications immediately.
JP Perez-Etchegoyen is Onapsis‘ CTO.
Onapsis’ JP Perez-Etchegoyen
“We have found no evidence of these vulnerabilities being exploited,” he said. “However, enterprises that have yet to install the patches are at extremely critical risk. As we have recently witnessed with threat groups like Elephant Beetle and BlackCat, business-critical applications remain a highly lucrative target. Threat actors have the sophistication, knowledge and tools to conduct successful exploits. So it’s only a matter of time before threat actors begin taking advantage of these vulnerabilities.”
In the past, cybercriminals have launched exploits after patches were released, Perez-Etchegoyen said.
These vulnerabilities are so critical because it’s challenging to differentiate a malicious request from a perfectly normal, benign request, Perez-Etchegoyen said. Moreover, they require no previous authentication, the exploitation is very simple and no preconditions are necessary.
The payloads can be sent through HTTP(S), SAP’s most widely used network service, he said.
Full System Takeover Possible
“Unpatched SAP NetWeaver applications, such as Java and Advanced Business Application Programming (ABAP), that are accessible through HTTP(S), or any applications sitting behind SAP Web Dispatcher, such as S/4HANA, are vulnerable,” Perez-Etchegoyen said. “If exploited by an attacker, this can lead to full system takeover.”
Onapsis Research Labs’ investigation of HTTP smuggling over the last year led to its discovery of the vulnerabilities. These vulnerabilities can be exploited in affected systems over the internet and pre-authentication. Multifactor authentication (MFA) controls won’t mitigate them.
About the Author(s)
You May Also Like
November's Top 20 Stories: Broadcom-VMware, AI in UCaaS, Google Cloud Shake-UpDec 04, 2023
Digital Transformation 2.0? IT Teams Look Ahead to 2024Dec 05, 2023
Insight-SADA Deal Makes Tony Safoian Richest Man in the ChannelDec 04, 2023
AWS re:Invent Partner, Vendor News: Cisco, Salesforce, MoreDec 01, 2023