Modern organizations rely more and more on applications to run their most essential functions, such as SAP, Oracle and Salesforce. However, attackers have taken notice and it is becoming more and more important for organizations to consider how they are protecting these business-critical applications to ensure operational resiliency.
Onapsis has led the way in original research into the vulnerabilities and risks stemming from these applications through its Onapsis Research Labs unit. At Black Hat this month, they launched new research showing critical vulnerabilities in SAP software, including CVE-2022-22536 and CVE-2022-22532. The severity of the former prompted CISA to release an alert recommending that organizations patch the vulnerability as soon as possible.
Onapsis’ CTO and Co-founder Juan Pablo (JP) Perez-Etchegoyen leads the research and innovation teams that created the research and bolster Onapsis as the business-critical application market leader addressing some of the most complex problems that organizations currently face while managing and securing their enterprise resource planning (ERP) landscapes.
NightDragon sat with JP to discuss the recently released research, his concerns on such vulnerabilities, and how organizations can put their best foot forward in protecting their systems to withstand these possible attacks.
ONAPSIS UNVEILED SOME FASCINATING THREAT RESEARCH AT BLACK HAT 2022 THIS YEAR. WHAT WERE SOME OF THE KEY FINDINGS?
Martin Doyenhard from the Onapsis Research Labs presented two memory corruption vulnerabilities found in SAP’s proprietary HTTP Server, using novel exploitation techniques that are applicable at the HTTP protocol level. These vulnerabilities affecting the Internet Communication Manager were discovered by the Onapsis Research Labs and dubbed Internet Communication Manager Advanced Desync (ICMAD.) This research was part of a broader research effort that analyzed the ICM and resulted in multiple vulnerabilities reported to SAP. Both techniques, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation, especially those that are internet-facing.
As part of the research that resulted in the ICM vulnerabilities, Onapsis released an open source scanner in February to detect if the SAP Systems are vulnerable, and validate timely and correct application of patches.
HOW DAMAGING CAN CVE-2022-22536 AND CVE-2022-22532 BE TO THE ACCESSING OF DATA? WHAT TYPES OF IMPACTS COULD IT HAVE?
More than 400,000 organizations, including 90% of Fortune 500 companies, rely on SAP’s software to keep their business up and running. At the core of every SAP deployment is the Internet Communication Manager (ICM), the piece of software in charge of handling all HTTP requests and responses.
Think about the latest capabilities and functionality that SAP is releasing such as S/4HANA, SAP Fiori, SAP UI5…all of those capabilities rely on the SAP ICM HTTP server to function and any vulnerability affecting this component ultimately affects end users connecting to SAP.
The Internet Communication Manager Advanced Desync (ICMAD) vulnerabilities were addressed by the US Cybersecurity and Infrastructure Security Agency and CERTs from all over the world, proving the tremendous impact they had on enterprise security. Earlier this month, CISA added CVE-2022-22536 to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address them by September 8. Onapsis Research Labs has recently seen an increase in threat activity, particularly related to CVE-2022-22536, and while we continue working on it, it is too early to make an assessment on attribution. However, exploitation of this vulnerability is valuable to attackers because it can be used to steal user sessions, ultimately compromising any business application.
Our team has also found recent evidence that vigilance around patching is always crucial because threat actors leverage anything and everything that is at their disposal to target SAP Applications, even vulnerabilities and misconfigurations that are more than ten years old, if they are still affecting SAP Applications. Onapsis Research Labs recently detected the use of multiple different CVEs to target SAP Applications, resulting in an update to the Catalog of Known Exploited vulnerabilities in June of this year.
HOW COMMON ARE VULNERABILITIES LIKE THIS IN BUSINESS-CRITICAL APPLICATIONS?
Business-critical applications are built upon complex and diverse software components which means they rely on millions of lines of code to function. As with any other piece of software, security vulnerabilities are possible. Even though software vendors such as SAP and Oracle make significant investments in delivering secure code, in the end, it is a matter of probability. Security vulnerabilities are out there; the key is to be ready and have the right processes and technology in place to react quickly. Vulnerabilities of this scale and criticality are less common than other vulnerabilities that affect specific pieces of business-critical application infrastructure. However, all can be exploited by attackers to gain access to your crown jewels.
HOW CAN AN ORGANIZATION KNOW IF THESE VULNERABILITIES AFFECT THEM, AND WHAT CAN DO TO MITIGATE ITS RISK?
The good news is that Onapsis Research Labs is a security research team focused on identifying vulnerabilities and threats within SAP and Oracle applications, following the responsible disclosure approach with those vendors and working together to ensure a fix is delivered in a timely manner. Additionally, this team works in close collaboration and directly with the vendors and CERT(s) of all over the world, to generate the right levels of awareness across organizations, ultimately mitigating the vulnerabilities found.
HOW CAN AN ORGANIZATION BETTER POSITION THEMSELVES TO IDENTIFY AND RESPOND TO THESE VULNERABILITIES, KNOWING THAT THEY RELY HEAVILY ON THESE APPLICATIONS TO OPERATE THEIR BUSINESS?
Onapsis Research Labs encourages organizations running business-critical applications such as SAP and Oracle to ensure the right processes are in place to better address risk. A security program should continually evaluate overall risk rather than reactively addressing critical vulnerabilities when alerted to new CVEs. It’s important for an organization to quickly respond to vulnerabilities and exploits (and mitigate or patch accordingly.) Incorporating the ability to better ascertain your security posture across your entire business application landscape (e.g., visibility into insecure authorizations, elevated privileges, misconfigurations, anomalous behavior) and prevent the introduction of new vulnerabilities in your ERP environments from new custom code are extremely important in minimizing risk.
