Who Is at Risk and How To Protect Your Business-Critical SAP® Applications
Detailed research from the Onapsis Research Labs over the past year in HTTP Response Smuggling led to the discovery of a set of critical vulnerabilities affecting SAP applications actively using the SAP Internet Communication Manager (ICM), which we are referring to as ICMAD (Internet Communication Manager Advanced Desync). This discovery requires immediate attention by most SAP customers, given the widespread usage of the vulnerable technology component in SAP landscapes around the world.
The SAP Internet Communication Manager (ICM) is one of the most important components of an SAP NetWeaver application server. This component is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet. Because one of the ICM’s core purposes is to serve as the SAP HTTP(S) server, this service is always present and exposed by default in SAP NetWeaver Java applications and is a requirement to run web applications in SAP ABAP (i.e., Web Dynpro). Additionally, the SAP ICM is part of the SAP Web Dispatcher, which means that it typically sits between most SAP application servers and the clients (with the clients potentially being the Internet).
The Onapsis Research Labs identified three critical vulnerabilities in a memory handling mechanism which can lead to full system takeover, if exploited by an attacker. Leveraging the most critical vulnerability (CVSSv3 10.0) is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S). Therefore, with this most critical issue, unpatched SAP NetWeaver applications (JAVA/ABAP) reachable through HTTP(S) are vulnerable to it, as well as any application sitting behind SAP Web Dispatcher, such as S/4HANA.