How to secure SAP ICM?

SAP ICM

In ancient times it was very rare having SAP systems exposed to the internet. Due to technical challenges and different use-cases, the SAP application servers resided in the shielded environment of the hosting center, often directly at customer premises. Giant air conditioners were required to cool the servers, as they had to provide services to the employees sitting behind their desktop PCs. A lot has changed since then, and the global pandemic has even lifted the need for exposed web-bases services provided by the SAP ICM that are available on the go, and from home offices, but can also be consumed via smartphones and tablets. With this change of paradigm, the security aspect for sensitive data residing in the SAP application needs to be rethought.

What is SAP ICM?

Anticipated by the name, the SAP Internet Communication Manager ensures that communication between the SAP System (NetWeaver Application Server) and the outside world via HTTP, HTTPS, and SMTP protocols works properly. In other words, once activated in transaction SMICM, the SAP NetWeaver Application Server provides a web server that serves as the foundation for web-based SAP technologies like Fiori, WebDynpro, or Business Server Pages (BSP).

The ICM comes with many security-relevant configurations for SSL encryption, cookie handling, authentication requests (HTTP) and even provides a dedicated security log. Tools like SecurityBridge Security & Compliance Management assesses the secure configuration of the ICM in SAP NW and provides guidance for customers to harden the webserver.

Network Segmentation and Service Decoupling

SAP provides various concepts to decouple the business-critical application from the systems providing services to untrusted networks. The SAP Gateway for example may be sitting in the DMZ, which allows exposing various OData services to the outside. For web-based access, the SAP Web Dispatcher provides a solution. The technology shift from remote function call more towards HTTP is mainly driven by the demand for open infrastructure and accessibility of services. Network segmentation and service decoupling is vital step towards increasing the security posture.

Secure the SAP Internet Communication Manager

While it never was a good practice to have too many services being enabled – it becomes a security nightmare in scenarios where connections to untrusted networks exist. In our recent article “Understand and Reduce the Attack Surface” we describe how SAP customers need to gain control and actively manage their security posture with the ultimate goal to reduce whatever is not needed from a business perspective.

Sticking with the Internet Communication Manager, which exists as a separate process within SAP NetWeaver Application Servers, it is possible to use system profile parameters to define whether the ICM is to be started and how it is to be configured. SAP’s Security Baseline template provides additional recommendations to prevent unintended Information Disclosure, for example by securing public endpoints that do not require authentication.

Depending on the customer-specific scenario,
server port number (profile parameter icm/server_port_<num>) and
HTTP admin port (profile parameter icm/HTTP/admin_<num>) shall be adjusted. Both ports should be protected by SSL over HTTP.

We also confirm the SAP recommendation for the Internet Communication Manager to set an individual error page (see notes 870127 and 1616535 ) that does not disclose relevant information to threat actors.

Enable and configure the ICM Security Log logging

A dedicated ICM Security Log is available for the Internet Communication Manager of SAP NW Application Server and the SAP Web Dispatcher. In newer SAP versions, the log is active by default and can be further tuned by profile parameter “icm/security_log”. The recommended settings according to the security setting of S/4HANA can be found in note 2926224.

Example from SAP Security Baseline Template v2.3:

icm/security_log= LOGFILE=dev_icm_sec_%y_%m,LEVEL=3,MAXFILES=2,MAXSIZEKB=50000,SWITCH TF=month

SecurityBridge customers have a dedicated control for this via the Security & Compliance Management application. For details refer to check U5037-0012, “Configuration of ICM Security Log”, which also provides guidance to securely configure your ICM using our best practice settings.

Concerns about performance can be neglected since this is not measurable. Only security-relevant entries are stored in this log. The entries are then, for example, of the type “Content filter matched: Permission denied” if a URL filter was applied. Or “NULL bytes in HTTP request”, which is also an indication of HTTPS traffic on the HTTP port.

It is recommended to copy the log data to another system to have it available for later forensic investigations after an intrusion. This is because an attacker may try to cover his tracks by manipulating or deleting the files. Correlation with other log sources is also easier to perform on specialized systems than in the file system or SAP NetWeaver.

Patch SAP ICM Vulnerabilities

While the SAP Web Dispatcher provides dispatching and performance load balancing capabilities, it shares the same code basis with the SAP ICM. This means that both components may share the same vulnerabilities.

Worthless to emphasizing – It is not a good practice to only rely on the security patches, but having no process in place, that ensures timely installation of issued correction e.g. via the SAP Security Patch Day, can lead to a security disaster. SAP customers need to sift through their installed base, to identify components that need to be patched, this is particularly important for components like the SAP Internet Communication Manager (ICM) that expose services to untrusted networks like the internet.

On February 8, 2022, three vulnerabilities one of them with CVSS 10.0 in SAP Internet Communication Manager (ICM) and SAP Web Dispatcher were fixed as part of SAP Security Patch Day of February 2022. Affected customers should apply the SAP security patches immediately or use the available workaround.

While the SAP Web Dispatcher provides dispatching and performance load balancing capabilities, it shares the same code basis with the SAP ICM. This means that both components may share the same vulnerabilities.

Worthless to emphasizing – It is not a good practice to only rely on the security patches, but having no process in place, that ensures timely installation of issued correction e.g. via the SAP Security Patch Day, can lead to a security disaster. SAP customers need to sift through their installed base, to identify components that need to be patched, this is particularly important for components like the SAP Internet Communication Manager (ICM) that expose services to untrusted networks like the internet.

SecurityBridge - Patch Management - System View

Above you can see an example from SecurityBridge Patch Management that provides an overview of missing SAP Security patches.

We recommend that SAP customers – irrespective of the use of an SAP Cybersecurity solution – obtain an overview of missing security updates and install them promptly if possible and in coordination with the necessary departments.

If the installation of a critical fix like “3123396 – [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher” is not possible, please check if a workaround exists to mitigate the risk.

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on 05.10.2022, is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.

SecurityBridge at the DSAG Annual Congress 2022: How to protect SAP systems during these times

Together with its partner, Fortinet, the SAP Security specialist company will present how to close the gap between SAP and network security in Leipzig.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.