A major security vulnerability, which has been assigned a top severity rating, threatens SAP ERP 6.0, S/4HANA, NetWeaver, and Web Dispatcher, among others. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert warning of potential attacks on SAP products. Patch your SAP systems IMMEDIATELY!
Attackers who exploit vulnerabilities in the ERP software can compromise computers fully. Attacks are possible from both intranet and internet, without requiring verification. All SAP users should act immediately and patch their systems!
Act immediately to avoid disastrous consequences
In its alert, the CISA states that attackers could infect systems with ransomware, among other risks. The agency also warns against potential financial fraud and disruption of mission-critical business processes. It is unknown whether attacks have already occurred.
The critical vulnerability (CVE-2022-22536 CVSS, score 10/10) involves the SAP Internet Communication Manager (ICM). This core component is used by Content Server, NetWeaver ABAP and JAVA, and Web Dispatcher, among other products.
Attackers can bypass authentication, manipulating user requests and executing functions in the name of the victim. It can fully compromise systems.
Sources:
https://securityboulevard.com/2022/02/sap-security-patch-day-february-2022-severe-http-smuggling-vulnerabilities-in-sap-netweaver/ and security SAP notes.
The Security Notes 3123396 and 3123427, declared as Security Notes from the patch day on February 8, 2022, provide detailed information as to how to proceed:
3123396 – Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher [CVE-2022-22536]
Please assess the workaround applicability for your SAP landscape prior to implementation. SAP note 3137885 describes a workaround.
Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends using it only if a patch of the affected application systems is not possible on short notice. SAP strongly recommends that you apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.
Install the patch in the systems as soon as possible and remove the workaround once patching is complete!
This correction is delivered with the following archives:
- SAPWEBDISP.SAR
- Hotfix – file dw.sar
- SP Stack Kernel – files SAPEXE.SAR and SAPEXEDB.SAR
The correction requires patching both SAP Web Dispatcher and SAP Kernel. The patch solves the security issue completely. SAP cannot provide a way to test the success of the patch.
The workaround for ICM patching is described in SAP Note 3137885 – Workaround for security SAP note 3123396.
“In my opinion, the complexity of the workaround described here renders it unusable in practice. I therefore recommend applying the kernel patches immediately.”
3123427 – HTTP Request Smuggling in SAP NetWeaver Application Server Java [CVE-2022-22532]
These vulnerabilities have been fixed by proper memory handling for HTTP pipeline requests. The correction is contained in all patch levels that are equal to or higher than the patch level listed in the “Support Package Patches” section of this SAP Note for the desired kernel release. This correction is delivered with the following kernel archives:
- hotfix – DW.SAR
- SP Stack Kernel – files SAPEXE.SAR and SAPEXEDB.SAR
Please assess the workaround applicability for your SAP landscape prior to implementation. Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends you apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.
If the support of HTTP pipeline requests is not required on the server, the workaround can be implemented to avoid the issue by disabling the support of HTTP pipeline requests via the profile parameter setting icm/handle_http_pipeline_requests=FALSE.
Ralf Kempf (CTO SAST SOLUTIONS)