CISA and SAP warn about major vulnerability

German enterprise software maker SAP and the US Cybersecurity and Infrastructure Security Agency have issued security advisories on Tuesday to warn SAP customers to install the company's February security patches as soon as possible in order to prevent the exploitation of a major vulnerability in a ubiquitous SAP component.

Tracked as CVE-2022-22536, the vulnerability was discovered by cloud security firm Onapsis and impacts the SAP Internet Communication Manager (ICM).

The main purpose of this component is to provide a working HTTPS web server for all SAP products that need to be connected to the internet or talk to each other via HTTP/S, meaning that if a vulnerability is present in its code, entire SAP products are exposed to attacks 24/7.

In a report published yesterday, Onapsis said that CVE-2022-22536 is one of those dangerous bugs, allowing attackers to use malformed packets that trick SAP servers into exposing sensitive data without the attacker needing to authenticate.

The attack, known as HTTP request smuggling, could be used to steal credentials and session information from unpatched SAP servers, even if servers are placed behind proxies, Onapsis said.

"What makes these vulnerabilities particularly critical for SAP customers is the fact that the issues are present by default in the ICM component," researchers explained.

"A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation."

Patches are already out, but attack surface is massive

SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products.

According to SAP, known affected products include SAP WebDispatcher, SAP Content Server, SAP ABAP, and SAP NetWeaver—one of SAP's most popular offerings.

According to a Shodan search, there are more than 5,000 SAP NetWeaver servers currently connected to the internet and exposed to attacks, lest a patch is installed.

Since the ICM component may be active in other SAP product setups, Onapsis has also released a Python script so SAP customers can test their setups and see if they are vulnerable to attacks.

In a blog post yesterday, SAP Director of Security Response Vic Chung confirmed the severity of Onapsis' findings and asked customers to apply the patches as soon as possible.

CISA warned that customers who fail to do so will be exposing themselves to ransomware attacks, the theft of sensitive data, financial fraud, and disruption or halt of business operations.