Dive Brief:

• More than a week after the disclosure of critical vulnerabilities in SAP Internet Communication Manager, researchers said about 10,000 internet-facing SAP applications are vulnerable, according to a blogpost from Onapsis. 
• SAP applications not connected to the public internet can be exploited through the Internet Communication Manager Advanced Desync (ICMAD) vulnerabilities, researchers found. SAP NetWeaver applications reachable through HTTP or SAP applications sitting behind SAP Web Dispatcher are also vulnerable to exploitation, according to Onapsis. 
• SAP customers applying a patch for the ICMAD vulnerabilities say the process takes considerable time, since it requires a kernel upgrade, Onapsis CTO JP Perez-Etchegoyen said in an email. The patching process also requires a window for downtime.

Dive Insight:

Internet Communication Manager (ICM) is present and enabled in almost all SAP NetWeaver Application Servers. It is used to connect to the internet, making it critical for companies to patch the vulnerabilities as soon as possible, according to Claire Tills, senior research engineer at Tenable. 

"In most cases, the component is exposed, and even if it isn’t, these vulnerabilities could enable attackers who have accessed enterprise networks through other means to move laterally or retrieve sensitive information," Tills said. 

Among the three vulnerabilities, CVE-2022-22536 is considered a 10, the most serious on the severity scale. Attackers can gain full control of a compromised system without the need for authentication. 

SecurityBridge CEO Christoph Nagy said vulnerability management for SAP applications cover a wide area and are not just the responsibility of the manufacturer. 

SAP customization involves thousands of system configuration parameters, but custom development is possible, Nagy said.

SAP follows a standard procedure of releasing patches on the second Tuesday of each month, Nagy said. But applying those upgrades is a challenge for many customers.

"First of all, customers have to identify for which SAP systems a correction is relevant," Nagy said. "To make matters worse, direct patching of productive systems is not possible because the correction must be first implemented in the development system and can only be brought in the productive system after test acceptance."

SAP software is used by millions of customers, which rely on core systems including enterprise resource planning and customer relationship management. 

Organizations need to look beyond just patching vulnerabilities to consider the wider range of security 'exposures,’ according to Mitchell Schneider, Gartner principal research analyst. 

The attack surface has vastly grown due to a number of factors, including the evolution of hybrid work, accelerating use of cloud infrastructure, supply chains that are more tightly interconnected and the expansion of public facing internet assets, Schneider said. 

"A shift towards a more digital existence has changed perceptions about the security of cloud SaaS applications, Iaas and Paas," Schneider said. "And also increased the diversity of the systems that organizations depend on for revenue."