CVE-2022-36115 in Blue Prism
Summary
by MITRE • 08/26/2022
An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circumvent access controls for unintended functionality. An attacker can abuse the CreateProcessAutosave() method to inject their own functionality into a development process. If (upon a warning) a user decides to recover unsaved work by using the last saved version, the malicious code could enter the workflow. Should the process action stages not be fully reviewed before publishing, this could result in the malicious code being run in a production environment.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/02/2022
The vulnerability identified as CVE-2022-36115 resides within Blue Prism Enterprise versions 6.0 through 7.01, representing a critical access control bypass issue that emerges from misconfigured server environments. This flaw specifically targets environments where the Blue Prism Application server is exposed to unauthorized access, creating a pathway for authenticated users to perform reverse engineering activities that were not intended by the software design. The vulnerability operates through the exploitation of the CreateProcessAutosave() method, which serves as an entry point for malicious code injection. This method, designed for legitimate autosave functionality, becomes a vector for privilege escalation when improperly secured, allowing attackers to manipulate the development workflow process in ways that circumvent normal security controls.
The technical exploitation of this vulnerability follows a specific attack pattern that leverages user trust and workflow recovery mechanisms. An attacker with authenticated access can utilize the CreateProcessAutosave() method to inject malicious code into development processes, taking advantage of the system's automatic recovery features. When users encounter warning messages and choose to recover unsaved work by reverting to the last saved version, the malicious code embedded within the autosave mechanism can be executed. This process demonstrates a classic privilege escalation attack where legitimate system functionality is abused to gain unauthorized capabilities, with the malicious code persisting through the recovery process and potentially executing in production environments.
The operational impact of CVE-2022-36115 extends beyond simple code injection to encompass full system compromise through unauthorized process execution. This vulnerability creates a persistent threat vector where malicious code can be introduced during the development phase and subsequently executed in production environments without proper code review or security validation. The attack chain relies on human factors and workflow processes, making it particularly dangerous as it exploits normal user behaviors such as recovery operations and unsaved work management. Organizations using Blue Prism Enterprise in exposed environments face significant risks including unauthorized access to sensitive business processes, potential data breaches through malicious code execution, and complete compromise of automated workflow systems that often control critical business operations.
Security mitigations for this vulnerability must address both the immediate exploitation vectors and the underlying architectural issues that allow such abuse. Organizations should implement strict access controls to prevent unauthorized exposure of Blue Prism Application servers, ensuring that these systems operate within secure network perimeters. The remediation approach should include disabling or heavily restricting the CreateProcessAutosave() method when not explicitly required, implementing comprehensive code review processes for all published workflows, and establishing automated security scanning of process files before production deployment. Additionally, security controls should enforce mandatory code validation and access control reviews for all process modifications, aligning with industry standards such as those defined in CWE-284 for improper access control and CWE-94 for code injection vulnerabilities. The ATT&CK framework categorizes this as a privilege escalation technique through application access, specifically targeting the T1068 privilege escalation and T1555 credential access tactics, making comprehensive monitoring and access control enforcement essential for preventing exploitation.