Sensitive data theft, disruption of mission-critical business processes, ransomware, and halt of all operations were warnings from the Cybersecurity and Infrastructure Security Agency (CIA) two years ago. The alert concerned severe security flaws, termed ICMAD (Internet Communication Manager Advanced Desync), affecting businesses using SAP.
The SAP application server that forms the foundation for any SAP system uses ABAP, a high-level programming language. The Internet Communication Manager (ICM) ensures communication between the SAP system and the outside world. It is implemented as a separate process monitored by the ABAP dispatcher, which processes incoming internet requests, directing them to the proper local controller for further action. The ICM includes cookie management, HTTP authentication requests, SSL encryption configurations, and a specific security log. Working with SAP NetWeaver, an ICM security set-up, enhances the customer’s web server security.
With ICMAD, distinguishing harmful from regular requests is difficult, which lends to this vulnerability’s critical nature. This vulnerability can severely disrupt business-critical SAP applications and presents an extensive attack surface exposed via HTTP(S) connections. It can also significantly harm the confidentiality, integrity, and availability of crucial business data and operations.
This Diet Of Alphabet Soup Will Prevent Heartburn
SAP systems must be safeguarded against ICMAD vulnerabilities. This requires mitigation strategies, which include enhancing system configurations, continuous monitoring, timely patching, and utilizing top-tier security solutions. In addition, an SAP patch management system must be integrated to minimize exploitation risks and ensure robust protection for vital systems and data. However, even with these mitigation strategies in place, system administrators must be vigilant for these reasons:
- The ICM component of SAP platforms (including NetWeaver, S/4HANA, and the SAP Web Dispatcher) has ICMAD security and vulnerabilities; CVE-2022-22536 is the most severe vulnerability. This vulnerability is considered critical, with a perfect 10.0 CVSSv3 score. It allows unauthenticated, remote hackers to launch attacks via a simple HTTP request, potentially leading to complete system compromise, which allows exploitation due to unauthorized access, data loss, and compliance.
- HTTP Request Smuggling (CVE-2022-22532) has a 9.8 score, and a Use After Free issue (CVE-2022-22533), rated at 7.5, also poses distinct risks.
Conclusion
Cybersecurity vigilance is the defense against ICMAD vulnerabilities within SAP systems. Organizations must embrace a proactive and comprehensive security strategy to reduce attack vectors. Strategies include timely implementing recommended patches, utilizing advanced security solutions and practices to secure the SAP landscape, and staying informed with the latest security advisories.
Following this advice will allow businesses to mitigate the immediate risks posed by inherent SAP vulnerabilities like ICMAD and strengthen the overall security atmosphere to protect against future threats. Safeguarding SAP systems is not just a technical imperative but also a strategic necessity for enterprise success and continuity. In the current climate where ransomware is a well-funded business, digital resilience is paramount—and organizations must protect their SAP systems.
By Christoph Nagy, SecurityBridge
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member, and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.
