Warning: 3 critical vulnerabilities in SAP Netweaver Application Server
- CVE-2022-22536 | CVSS 10.0 | Vulnerable for request smuggling and request concatenation
- CVE-2022-22532 |CVSS 8.1 | Improper shared memory buffer handling
- CVE-2022-22533 | CVSS 7.5 | Memory leak in memory pipe management that could lead to denial of service
Sources
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
Risks
- An unauthenticated remote attacker could exploit CVE-2022-22536, a memory pipes (MPI) desynchronization vulnerability, using a simple HTTP request and achieve full system takeover;
- An attacker could exploit CVE-2022-22533, a memory leak in the memory pipe management, using specially crafted HTTP(S) requests to consume all MPI resources.
- CVE-2022-22532, an HTTP request smuggling vulnerability in the ICM component, does not require authentication or user interaction to exploit and could lead to remote code execution;
Description
On February 8, SAP disclosed several vulnerabilities in the Internet Communication Manager (ICM), a critical component of its NetWeaver Application Server. SAP applications manage critical business processes. SAP Netweaver is an application and integration server that acts as the software stack for most of SAP’s applications, including solutions for critical business functions such as enterprise resource planning, customer relationship management and supply chain management.
Onapsis released a threat report regarding the vulnerabilities they discovered within the SAP ICM, SAP included updates for these flaws in their most recent patch day. The Cybersecurity and Infrastructure Security Agency issued an immediate warning, stating that exploitation of these vulnerabilities could result in theft of sensitive data, fraud, disruption of operations and ransomware.
Recommended Actions
The Centre for Cyber security Belgium recommends installing updates for the SAP Netweaver Server with the highest priority. Updates can be found on: SAP Advisory.
Onapsis also released an open-source tool to identify vulnerable systems within your environment.
References