CVE-2022-36118

Vulnerability

The vulnerability exists in Blue Prism Enterprise versions 6.0 through 7.01. In a misconfigured environment exposing the Blue Prism Application server, an authenticated user can reverse engineer the software and circumvent access controls for the SetProcessAttributes administrative function. This function is intended to be restricted to users with the "Edit Process" permission, but due to the flaw, any authenticated user can invoke it. [2]

Exploitation

Exploitation requires an authenticated user in a misconfigured environment where the Blue Prism Application server is exposed. The attacker must have valid credentials. The exact steps involve reverse engineering the software to discover the bypass, then calling SetProcessAttributes to change the status of a process. The vendor notes that successful exploitation has a low probability if proper Blue Prism Robotic Operating Model (ROM) practices are followed, such as logical network segmentation and access restrictions. [2]

Impact

An attacker who successfully exploits this vulnerability can publish, unpublish, or retire processes without authorization. This allows any logged-in user to perform actions that should require the "Edit Process" permission, potentially disrupting process availability or exposing sensitive process logic. The impact is considered critical by the vendor, though the likelihood is low under recommended configurations. [2]

Mitigation

SS&C Blue Prism has released patches for versions starting at 6.4, and the fix is incorporated in version 7.1, which can be downloaded from the Blue Prism portal. Cloud customers are not affected as the platform follows security best practices. For on-premises deployments, applying the patch or upgrading to 7.1 is recommended. Additionally, following the Blue Prism ROM practices (network segmentation, restricted access) reduces the risk of exploitation. [2]