CVE-2022-36120

Vulnerability

An issue in Blue Prism Enterprise versions 6.0 through 7.01 allows an authenticated user with low or no privileges to circumvent access controls on the getChartData administrative function. This is exploitable only in a misconfigured environment where the Blue Prism Application server is exposed to the attacker. The vulnerability enables the attacker to alter server settings by abusing the getChartData method, ultimately allowing the Blue Prism server to execute any MSSQL stored procedure by name [2].

Exploitation

The attacker must have a valid low-privilege or no-privilege Blue Prism user account and network access to the exposed Application server. The attacker first reverse engineers the Blue Prism software to understand the getChartData function's behavior. Then, by abusing this function, the attacker modifies server settings to enable execution of arbitrary MSSQL stored procedures. The exploitation requires several complex pre-requisites, including a misconfigured environment that exposes the Application server [2].

Impact

Successful exploitation allows the attacker to execute any MSSQL stored procedure by name, potentially leading to unauthorized data access, data manipulation, privilege escalation, or further compromise of the database server. The attacker gains the ability to perform administrative database operations despite having only a low-privilege Blue Prism account.

Mitigation

SS&C Blue Prism has released patches for versions starting at 6.4, and the fix is incorporated in the latest release, version 7.1. Cloud customers are not affected as the Blue Prism Cloud platform follows security best practices. For on-premises deployments, implementing the Blue Prism Robotic Operating Model (ROM) practices—such as logically securing the network, limiting access to approved devices, and allow-listing connections—reduces the likelihood of exploitation [2].