SAP to Give Threat Briefing on Uber-Severe ‘ICMAD’ Bugs

There’s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.

Also on Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory about the bugs.

Security researchers from Onapsis – the security firm that specializes in security for SAP, Oracle, Salesforce, and other software-as-a-service (SaaS) platforms and that discovered the bugs – joined SAP in coordinating the release of a Threat Report describing the critical vulnerabilities onTuesday.

As of Tuesday, Onapsis Research Labs had estimated that there were tens of thousands – approximately 40,000 – SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications.

The vulnerabilities are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in Security Note 3123396, received the tip-top risk score – a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.

SAP and Onapsis urged customers to apply both tSecurity Note 3123396 and 3123427 without dealy..

Free Scanner Available

Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download here.

In a blog post published Tuesday, SAP Director of Security Response Vic Chung confirmed the severity of Onapsis’ findings

Chung said that if they aren’t remediated, the bugs – aka “ICMAD” – “will enable attackers to execute serious malicious activity on SAP users, business information and processes.”

Specifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:

Hijack of user identities, theft of all user credentials and personal information Exfiltration of sensitive or confidential corporate information Fraudulent transactions and financial harm Change of banking details in a financial system of record Internal denial of service attack that disrupts critical systems for the business

No Known Related Breaches – Yet

“Since ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,” Chung said.

The ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications – just one flavor of the business-critical apps that threat actors are actively targeting.

“As we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,” said Mariano Nunez, CEO and co-founder of Onapsis. “The discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as RECON and 10KBLAZE, are essential to protecting the business-critical applications that power 92% of the Forbes Global 2000.”

As of Tuesday, SAP and Onapsis weren’t aware of any breaches related to the trio of bugs, but that’s clearly no reason to delay in applying the updates in Security Note 3123396 [CVE-2022-22536] to affected SAP applications as soon as possible, they said.

What to Do

Onapsis has prepared this on-demand recording that details what to do to avoid any damage.

As well, at noon ET on Thursday, Onapsis’ Nunez and SAP Chief Information Security Officer Richard Puckett will provide a threat briefing about the ICMAD vulnerabilities.

Join SAP's #CISO Richard Puckett and me on the threat briefing about the #icmad vulnerabilities. Make sure you have all the info to protect your business-critical SAP applications. Today at 12pm ET. #sap #onapsis #research #cisa #icm #security https://t.co/QObvbdN6sp

— Mariano Nunez (@marianonunezdc) February 10, 2022