Onapsis, SAP Identify, Patch Critical Vulnerabilities in SAP Applications

The first vulnerability received the highest possible risk score, a 10 out of 10.

Edward Gately, Senior News Editor

February 8, 2022

2 Min Read
'Vulnerability' word in the middle of the computer screen surrounded by numbers zero and one. Image is taken in a small angle.Shutterstock

Onapsis and SAP have discovered three critical network exploitable vulnerabilities within Internet Communication Manager (ICM). It’s a core component of SAP business applications.

The first vulnerability received the highest possible risk score, a 10 out of 10. The other two received scores of 8.1 and 7.5, respectively. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing an alert relating to these vulnerabilities.

These critical vulnerabilities could impact an estimated 40,000 SAP customers if they don’t install the patch.

Exploitation of the vulnerabilities, dubbed ICMAD, could allow an attacker to perform serious malicious activities. Those include:

  • Hijacking of user identities, and theft of all user credentials and personal information.

  • Exfiltration of sensitive or confidential corporate information.

  • Fraudulent transactions and financial harm.

  • Change of banking details in a financial system of record.

  • An internal denial-of-service attack that disrupts critical systems for the business.

SAP has patched these vulnerabilities. Both SAP and Onapsis advise impacted organizations to prioritize applying the fixes to their affected SAP applications immediately.

Exploitation Inevitable

JP Perez-Etchegoyen is Onapsis‘ CTO.


Onapsis’ JP Perez-Etchegoyen

“We have found no evidence of these vulnerabilities being exploited,” he said. “However, enterprises that have yet to install the patches are at extremely critical risk. As we have recently witnessed with threat groups like Elephant Beetle and BlackCat, business-critical applications remain a highly lucrative target. Threat actors have the sophistication, knowledge and tools to conduct successful exploits. So it’s only a matter of time before threat actors begin taking advantage of these vulnerabilities.”

In the past, cybercriminals have launched exploits after patches were released, Perez-Etchegoyen said.

These vulnerabilities are so critical because it’s challenging to differentiate a malicious request from a perfectly normal, benign request, Perez-Etchegoyen said. Moreover, they require no previous authentication, the exploitation is very simple and no preconditions are necessary.

The payloads can be sent through HTTP(S), SAP’s most widely used network service, he said.

Full System Takeover Possible

“Unpatched SAP NetWeaver applications, such as Java and Advanced Business Application Programming (ABAP), that are accessible through HTTP(S), or any applications sitting behind SAP Web Dispatcher, such as S/4HANA, are vulnerable,” Perez-Etchegoyen said. “If exploited by an attacker, this can lead to full system takeover.”

Onapsis Research Labs’ investigation of HTTP smuggling over the last year led to its discovery of the vulnerabilities. These vulnerabilities can be exploited in affected systems over the internet and pre-authentication. Multifactor authentication (MFA) controls won’t mitigate them.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like