SAP fixes serious bug in ICM software that allows system takeover
Software vendor SAP has released patches for a number of vulnerabilities in many of its products. Meanwhile, US authorities warn against fixing the vulnerabilities. They have high CVSS scores and enable remote code executions.
SAP has fixed a total of 14 vulnerabilities during its monthly patch cycle. Some of it fixes the log4j vulnerability found in December. The company was pointed out to some of the other vulnerabilities by security company Onapsis. That saw multiple bugs in SAP’s Internet Communication Manager. Onapsis calls that collection of bugs Icmad. The ICM software is an important part of NetWeaver, which is in many of SAP’s products.
The three vulnerabilities reported by Onapsis are CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533. The first is the most serious; it gets a CVSS score of 10. According to Onapsis, the bug is easy to exploit by just sending a payload to a vulnerable system. No authentication or specific configuration is required for this. An attacker can thus completely take over a system or run code on it.
The researchers have made a free tool available that allows system administrators to scan their networks for the vulnerability. As far as is known, the leak is not actively exploited. Meanwhile, the American Cybersecurity and Infrastructure Security Agency also warns about the vulnerability. The agency is calling on administrators to install the patch as soon as possible.