Threat Response: SAP Critical Patch Advisories

9-02-2022

On Tuesday, February 8, 2022, SAP published security updates for vulnerabilities in their products as part of their monthly patch schedule. Some of the vulnerabilities are considered to be ‘critical’. This concerns mainly one new vulnerability that allows authentication of SAP systems to be bypassed. Additionally, vulnerabilities related to Log4j have been resolved. An external attacker could use these vulnerabilities to take over control of the system or obtain access to sensitive data. We recommend installing the patches that SAP released as soon as possible to remediate these vulnerabilities.

In this threat response we explain the vulnerability, the potential impact and what action you should take to prevent exploitation.

Description

On February 8, SAP released security patches as part of their monthly update schedule. SAP has published a total of 14 security advisories, of which 8 are marked as critical. These advisories describe one or more vulnerabilities that are in certain cases remotely exploitable by an attacker. Because of this, we recommend installing the published patches as soon as possible.

CVE-2022-22536 – Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher

The SAP products SAP NetWeaver, SAP Content Server and SAP Web Dispatcher contain a component named ‘Internet Communication Manager’ (ICM) that is responsible for the communication via HTTP(S) between SAP systems and to/from clients. The ICM component is vulnerable to a HTTP request smuggling attack.

A request smuggling attack is an attack type where input from a request is unintentionally forwarded to a backend server. The input is processed on the backend server and allows an attacker to manipulate data within the application, when a specifically crafted request is sent to the application.

Exploitation of the vulnerability in this particular case can lead to an unauthorized attacker being considered authenticated. The attacker is thereby able to obtain user rights, without being in possession of valid credentials.

The following products and versions are affected by this vulnerability:

  • SAP Web Dispatcher, Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87
  • SAP Content Server, Version – 7.53
  • SAP NetWeaver and ABAP Platform, Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49

In addition to the above mentioned vulnerability, SAP has published updates for the following products which are affected by vulnerabilities in Log4j:

  • SAP Commerce, Versions – 1905, 2005, 2105, 2011
  • SAP Data Intelligence, Version – 3
  • SAP Dynamic Authorization Management, Version – 9.1.0.0, 2021.03
  • Internet of Things Edge Platform, Version – 4.0
  • SAP Customer Checkout, Version – 2

Medio December 2021, Northwave published several threat responses regarding the discovered vulnerabilities in Log4j. These threat responses are available on Northwave’s website as background information[1]. We recommend following the instructions from SAP to remediate the vulnerabilities.

A complete overview of all advisories that were published this round is available on the ‘SAP Security Patch Day’ information page[2].

Impact

An attacker who is able to successfully exploit the vulnerability is able to bypass the authentication mechanism of the particular SAP product. This results in the attacker obtaining user rights, which may grant access to sensitive (user) data and system data. Given this information, Northwave classifies the impact on successful exploitation as high.

Risk

At the time of writing, there is no exploit code publicly available. For now, we classify the risk as medium. We do expect the first exploits to become available on short notice, as security researchers continue to publish details about this vulnerability. Because the ICM-component is usually connected to the internet, Northwave classifies the risk of exploitation to high once an exploit is published.

Mitigation

SAP has released patches for the affected components that remediate the vulnerabilities. Additionally, SAP published an advisory that describes the mitigating measures in more detail[3].

What should you do?

Verify whether one or more of the mentioned SAP products are used within your organization. Install the published patches for the applicable products as soon as possible.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://northwave-security.com/remote-code-execution-vulnerability-in-log4j-library/[2]: https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022[3]: https://launchpad.support.sap.com/#/notes/3123396

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.