A critical SAP vulnerability that was patched in February has been added to a U.S. government cyber agency’s list of exploited security bugs after being discussed last week at security conferences, leading to the possibility the hole is currently being exploited.
Security Week reports that the vulnerability, CVE-2022-22536, was added this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities Catalog.
The catalog is a list of security holes that have been exploited in the wild that must be remediated by U.S. federal departments. The private sector is also urged to review and monitor the catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.
The listing now of CVE-2022-22536, coming right after researchers from Onapsis talked about it and another critical SAP vulnerability, CVE-2022-22532, at the Black Hat and DefCon conference last week, raises the possibility that the CISA has learned hackers are trying to exploit the pair of holes after learning of them at the conference.
Onapsis says the two vulnerabilities can be exploited together. “Both CVE-2022-22536 and CVE-2022-22532 were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet,” unless systems are patched, the report says.
CVE-2022-22536 is a memory corruption vulnerability in NetWeaver Application Server ABAP, NetWeaver Application Server Java, ABAP Platform, Content Server 7.53 and Web Dispatcher. According to the U.S. National Institute of Standards and Technology (NIST), the hole makes them vulnerable to request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data, says a synopsis. “This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system,” NIST says.
The other vulnerability, CVE-2022-22532, is also a memory corruption issue that affects certain versions of NetWeaver Application Server Java. NIST says it can be exploited by an unauthenticated attacker who submits a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and perform functions that could impersonate the victim or even steal the victim’s logon session.
The two vulnerabilities have been broadly known since February and therefore should have been addressed by now by SAP administrators. Arctic Wolf was among the security vendors issuing warnings in February about them.
Its report described CVE-2022-22536 as a critical memory corruption vulnerability in the SAP Internet Communication Manager (ICM) component of a number of products that could lead to full system takeover without authentication or user interaction.