A critical SAP vulnerability with a maximum CVSS score of 10 can be exploited through a simple unauthenticated HTTP(S) request and affects the vast majority of SAP customers -- with the affected SAP components intended, by design, to be exposed to the internet. Prompt action by users is critical. A patch landed on February 8.
Allocated CVE-2022-22536 the bug exists by default in the SAP Internet Communication Manager (ICM) which connects SAP applications to the Internet. SAP, which underpins hugely critical enterprise applications for customers like blue chip banks, the military and others has called for customers to patch urgently.
Initial scans show approximately 10,000 systems exposed and potentially vulnerable globally.
Multiple SAP applications are affected. The bug is one of three critical SAP vulnerabilities in a memory handling mechanism which can lead to full system takeover. These were reported by security firm Onapsis, which has provided a free Python script for customers to check if they are affected. The US's CISA has warned SAP systems operators to urgently review SAP’s February 2022 Security Updates page, for more information.
The cybersecurity agency added in an advisory that customers face the risk of:
- Theft of sensitive data
- Financial fraud
- Disruption of mission-critical business processes
- Ransomware, and
- Halt of all operations.
Follow The Stack on LinkedIn
Onapsis noted late Thursday that "even though the ICM can understand and handle different protocols such as P4, IIOP, SMTP, and others, one of its core purposes is to work as the SAP HTTP(S) server. This service is always present and exposed by default in an SAP Java stack and is required to run web applications in SAP ABAP (Web Dynpro) and S/4HANA systems. Additionally, the SAP ICM is part of the SAP Web Dispatcher, which means that it typically sits between most SAP application servers and the clients" (potentially, the Internet).
Onapsis warned that threat actors are "launching sophisticated attacks on business-critical SAP applications within 72 hours of the release of an SAP Security Note"; in the wake of the Log4j disclosure, in just 24 hours.
Onapsis' security advisory gives enough details for savvy offensive security researchers to work up an exploit rapidly -- detailing how the HTTP smuggling vulnerability involves desynchronization of Message Passing Interface (MPI) buffers between the ICM and the backend (Java/ABAP) processes. ("The vulnerability described in this section appears when an internal handler is able to generate a response, and the size of the request is bigger than that of the MPI Buffer. If a proxy is placed between the ICM and the clients, an attacker could leverage this to take over the application by exploiting the HTTP desynchronization between both components.")
SAP customers can expect this to be weaponised very rapidly.
Critical SAP vulnerability aside, Patch Tuesday was breezy...
The patch came amid what was otherwise a low-key Patch Tuesday, which saw Microsoft push out 51 new patches -- with not a single critical one among them. That makes it the lowest impact monthly patching update we can remember -- although there were some fixes to prioritise in the 50 "important" patches from Redmond, none of which are under active attack. Only one of the vulnerabilities fixed was deemed to be public.
Found and submitted anonymously, CVE-2022-21989 is a Windows Kernel elevation of privilege (EOP) bug with a CVSS score of 7.8. Microsoft deems attack "more likely" for this vulnerability and notes that a "successful attack could be performed from a low privilege AppContainer to... execute code or access resources at a higher integrity level than that of the AppContainer execution environment." It affects a wide range of products.
Found in-house by Microsoft, CVE-2021-21984 meanwhile is a Windows Server RCE vulnerability affecting the Microsoft DNS servers. It requires no user interaction. Exploitation is only possible if dynamic updates are enabled (although that's not uncommon.) Redmond rates it a CVSS 8.8 vulnerability.
