On February 8th, SAP disclosed several vulnerabilities in the Internet Communication Manager (ICM), a critical component of its NetWeaver Application Servers. One critical vulnerability, named ICMAD (CVE-2022-22536), received a CVSS score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A remote unauthenticated attacker could exploit this vulnerability by sending a simple HTTP request, and lead to a full system takeover and complete compromise of Confidentiality, Integrity and Availability of the system.
While the best mitigation would be to patch the vulnerable servers as soon as possible, the following SAP Notes provide additional information around patch and mitigations:
- 3123396 – [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher
- 3137885 – Workaround for security SAP note 3123396
- 3138881 – wdisp/additional_conn_close workaround for security SAP note 3123396
The Cymulate team published an Advanced Scenario scanner allowing to look for and identify potentially vulnerable hosts to this threat within and outside the network.