Skip to content

Securing your SAP Internet Communication Manager (ICM)

SAP ICM

In ancient times it was very rare having SAP systems exposed to the internet. Due to technical challenges and different use-cases, the SAP application servers resided in the shielded environment of the hosting center, often directly at customer premises. Giant air conditioners were required to cool the servers, as they had to provide services to the employees sitting behind their desktop PCs. A lot has changed since then, and the global pandemic has even lifted the need for exposed web-bases services provided by the SAP ICM that are available on the go, and from home offices, but can also be consumed via smartphones and tablets. With this change of paradigm, the security aspect for sensitive data residing in the SAP application needs to be rethought.

What is SAP ICM?

Anticipated by the name, the SAP Internet Communication Manager ensures that communication between the SAP System (NetWeaver Application Server) and the outside world via HTTP, HTTPS, and SMTP protocols works properly. In other words, once activated in transaction SMICM, the SAP NetWeaver Application Server provides a web server that serves as the foundation for web-based SAP technologies like Fiori, WebDynpro, or Business Server Pages (BSP).

The ICM comes with many security-relevant configurations for SSL encryption, cookie handling, authentication requests (HTTP) and even provides a dedicated security log. Tools like SecurityBridge Security & Compliance Management assesses the secure configuration of the ICM in SAP NW and provides guidance for customers to harden the webserver.

Network Segmentation and Service Decoupling

SAP provides various concepts to decouple the business-critical application from the systems providing services to untrusted networks. The SAP Gateway for example may be sitting in the DMZ, which allows exposing various OData services to the outside. For web-based access, the SAP Web Dispatcher provides a solution. The technology shift from remote function call more towards HTTP is mainly driven by the demand for open infrastructure and accessibility of services. Network segmentation and service decoupling is vital step towards increasing the security posture.

Secure the SAP Internet Communication Manager

While it never was a good practice to have too many services being enabled – it becomes a security nightmare in scenarios where connections to untrusted networks exist. In our recent article “Understand and Reduce the Attack Surface” we describe how SAP customers need to gain control and actively manage their security posture with the ultimate goal to reduce whatever is not needed from a business perspective.

Sticking with the Internet Communication Manager, which exists as a separate process within SAP NetWeaver Application Servers, it is possible to use system profile parameters to define whether the ICM is to be started and how it is to be configured. SAP’s Security Baseline template provides additional recommendations to prevent unintended Information Disclosure, for example by securing public endpoints that do not require authentication.

Depending on the customer-specific scenario,
server port number (profile parameter icm/server_port_<num>) and
HTTP admin port (profile parameter icm/HTTP/admin_<num>) shall be adjusted. Both ports should be protected by SSL over HTTP.

We also confirm the SAP recommendation for the Internet Communication Manager to set an individual error page (see notes 870127 and 1616535 ) that does not disclose relevant information to threat actors.

Enable and configure the ICM Security Log logging

A dedicated ICM Security Log is available for the Internet Communication Manager of SAP NW Application Server and the SAP Web Dispatcher. In newer SAP versions, the log is active by default and can be further tuned by profile parameter “icm/security_log”. The recommended settings according to the security setting of S/4HANA can be found in note 2926224.

Example from SAP Security Baseline Template v2.3:

icm/security_log= LOGFILE=dev_icm_sec_%y_%m,LEVEL=3,MAXFILES=2,MAXSIZEKB=50000,SWITCH TF=month

SecurityBridge customers have a dedicated control for this via the Security & Compliance Management application. For details refer to check U5037-0012, “Configuration of ICM Security Log”, which also provides guidance to securely configure your ICM using our best practice settings.

Concerns about performance can be neglected since this is not measurable. Only security-relevant entries are stored in this log. The entries are then, for example, of the type “Content filter matched: Permission denied” if a URL filter was applied. Or “NULL bytes in HTTP request”, which is also an indication of HTTPS traffic on the HTTP port.

It is recommended to copy the log data to another system to have it available for later forensic investigations after an intrusion. This is because an attacker may try to cover his tracks by manipulating or deleting the files. Correlation with other log sources is also easier to perform on specialized systems than in the file system or SAP NetWeaver.

Patch SAP ICM Vulnerabilities

While the SAP Web Dispatcher provides dispatching and performance load balancing capabilities, it shares the same code basis with the SAP ICM. This means that both components may share the same vulnerabilities.

Worthless to emphasizing – It is not a good practice to only rely on the security patches, but having no process in place, that ensures timely installation of issued correction e.g. via the SAP Security Patch Day, can lead to a security disaster. SAP customers need to sift through their installed base, to identify components that need to be patched, this is particularly important for components like the SAP Internet Communication Manager (ICM) that expose services to untrusted networks like the internet.

On February 8, 2022, three vulnerabilities one of them with CVSS 10.0 in SAP Internet Communication Manager (ICM) and SAP Web Dispatcher were fixed as part of SAP Security Patch Day of February 2022. Affected customers should apply the SAP security patches immediately or use the available workaround.

While the SAP Web Dispatcher provides dispatching and performance load balancing capabilities, it shares the same code basis with the SAP ICM. This means that both components may share the same vulnerabilities.

Worthless to emphasizing – It is not a good practice to only rely on the security patches, but having no process in place, that ensures timely installation of issued correction e.g. via the SAP Security Patch Day, can lead to a security disaster. SAP customers need to sift through their installed base, to identify components that need to be patched, this is particularly important for components like the SAP Internet Communication Manager (ICM) that expose services to untrusted networks like the internet.

SecurityBridge - Patch Management - System View

Above you can see an example from SecurityBridge Patch Management that provides an overview of missing SAP Security patches.

We recommend that SAP customers – irrespective of the use of an SAP Cybersecurity solution – obtain an overview of missing security updates and install them promptly if possible and in coordination with the necessary departments.

If the installation of a critical fix like “3123396 – [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher” is not possible, please check if a workaround exists to mitigate the risk.

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.

Meet us at SAPinsider Las Vegas 2023

March 20-23: SecurityBridge will be attending SAPInsider 2023 in Las Vegas. Come meet us and learn more about SAP Security.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.