The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.

CISA added seven vulnerabilities to its catalog on Thursday and instructed federal agencies to address them by September 8. For several of the newly added security holes, there do not appear to be any public reports describing exploitation in the wild, but the cybersecurity agency clarified in the past that it only adds CVEs to its catalog if it has reliable information about malicious exploitation.

The SAP vulnerability added to CISA’s list, tracked as CVE-2022-22536, was patched by the vendor in February in NetWeaver Application Server ABAP, NetWeaver Application Server Java, ABAP Platform, Content Server 7.53 and Web Dispatcher.

Onapsis, a company that specializes in protecting business-critical applications, warned at the time that CVE-2022-22536 and CVE-2022-22532 could be exploited together, but for the time being there is no mention of CVE-2022-22532 also being exploited.

The two memory corruption vulnerabilities were detailed by Onapsis researcher Martin Doyhenard on August 10 at the Black Hat conference and on August 13 at the Def Con conference in a presentation focusing on exploiting inter-process communication in SAP’s HTTP server. Onapsis also released an 18-page paper detailing its findings.

“Both, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet,” Doyhenard wrote in the research paper.

There does not appear to be any public information describing the attacks exploiting CVE-2022-22536, but CISA warned in February that exploitation could lead to theft of sensitive data, financial fraud, disruption of mission-critical business processes, or ransomware deployment.

SecurityWeek has reached out to Onapsis to see if the company is aware of the attacks, but we have yet to hear back.

CISA also added to its Known Exploited Vulnerabilities Catalog two flaws affecting Microsoft products for which there do not appear to be any public reports describing exploitation in the wild.

One of them, CVE-2022-21971, is a Windows remote code execution vulnerability that Microsoft patched in February. Microsoft’s advisory currently says it has not been exploited or publicly disclosed and assigns it an exploitability rating of ‘exploitation less likely’. However, a proof-of-concept (PoC) exploit has been available since at least March.

The second Microsoft vulnerability, CVE-2022-26923, is a privilege escalation issue affecting Active Directory Domain Services. Microsoft released a patch in May and PoC exploits were made available days later.

CISA has also added to its ‘must patch’ list the two iOS and macOS vulnerabilities addressed by Apple this week, a Chrome flaw fixed by Google this week, and a 2017 vulnerability affecting Palo Alto Networks appliances (CVE-2017-15944).

By Eduard Kovacs on Fri, 19 Aug 2022 10:17:14 +0000
Original link