Critical SAP Vulnerabilities Could Lead To Cyberattacks If Not Patched

February 09, 2022 - Software company SAP and Onapsis Research Labs discovered three critical vulnerabilities that affect SAP applications using SAP Internet Communication Manager (ICM). Businesses worldwide, including healthcare organizations and their third-party business associates, use SAP applications to manage mission-critical business functions, including supply chain and product lifecycle management.

"Healthcare institutions in particular are responsible for highly valuable data, including patient and employee records, financials, and more — all of which are often stored in business-critical applications like SAP," JP Perez-Etchegoyen, CTO at Onapsis, told HealthITSecurity.

"As such, healthcare has proven to be a highly targeted and profitable sector for threat actors over the past several years. This became even more evident in the midst of the COVID19 pandemic as healthcare took center stage globally, a fact that did not go unnoticed by threat actors."

The Cybersecurity and Infrastructure Security Agency (CISA) warned that impacted organizations could experience financial fraud, theft of sensitive data, ransomware, and disruption of mission-critical business operations.

The three critical vulnerabilities, referred to by SAP and Onapsis as “ICMAD,” all have patches available. But if organizations fail to prioritize security notes 3123396 and 3123427, cybercriminals may easily orchestrate cyberattacks.

“Abusing these vulnerabilities could be simple for an attacker as it requires no previous authentication, no necessary preconditions, and the payload can be sent through HTTP(S),” Onapsis noted in its threat report.

Onapsis came across the vulnerabilities through its investigation into HTTP smuggling over the past year. The research firm discovered that threat actors could leverage HTTP smuggling techniques with a request indiscernible from a legitimate request, making it extremely difficult to detect.

SAP released over a dozen new security notes, but CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 received the highest threat ratings.

These vulnerabilities are difficult to detect, easy to exploit, and could lead to a complete system takeover, creating the potential for large-scale cyberattacks if not immediately patched. In addition, the Onapsis report noted that “The payloads can be sent through HTTP(S), affecting a number of core components that are intended to connect SAP systems to the ‘outside world.’”

“These notes are rated with the highest CVSS scores and affect commonly deployed components in multiple, widely deployed products from SAP,” the report continued.

“This is partly due to the fact that the affected components, by design, are intended to be exposed to the Internet, thereby greatly increasing the risk that any attacker, with access to the HTTP(S) port of a Java or ABAP system, could take over the applications and, in some circumstances, even the host OS.”

Onapsis also emphasized that it usually observes attacks within 72 hours of releasing a SAP security note. As a result, patching impacted systems should be an urgent priority.

The notice underscored the value of threat sharing across the cybersecurity space. Although widespread vulnerability disclosures have the potential to help hackers find exploitable systems, the benefits of threat sharing far outweigh the negatives. They could prevent organizations from falling victim to a preventable cyberattack.

"The Onapsis Research Labs has observed threat actors leveraging a number of different TTPs to compromise applications, and no industry is immune," Perez-Etchegoyen continued. 

"Healthcare organizations must properly prioritize the implementation of critical patches as a first step, but must also take a comprehensive and purposeful approach to securing the crown jewels of business and patient data."