CVE-2024-6922 in Automation 360
Summary
by MITRE • 07/26/2024
Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) can trigger arbitrary web requests from the server.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/29/2024
The vulnerability identified as CVE-2024-6922 affects Automation Anywhere Automation 360 versions 21 through 32, presenting a critical server-side request forgery flaw within its web API component. This vulnerability allows attackers to initiate arbitrary web requests from the affected server, potentially enabling them to access internal systems or resources that would normally be restricted from external access. The issue stems from insufficient validation of user-supplied input within the web API endpoint, which processes requests without properly sanitizing or verifying the destination URLs. Attackers can exploit this weakness by crafting malicious requests that direct the server to make HTTP or HTTPS calls to internal services, external malicious servers, or sensitive endpoints that should remain protected.
The technical nature of this vulnerability aligns with CWE-918, which describes server-side request forgery where an application accepts untrusted input that is used to construct HTTP requests without proper validation. This flaw operates at the application layer and can be classified under the ATT&CK technique T1190 - Exploit Public-Facing Application, as it targets externally accessible web services. The vulnerability is particularly dangerous because it does not require authentication to exploit, meaning any user with access to the Automation 360 Control Room services can potentially leverage this weakness. The affected ports 80 and 443 represent common web service endpoints, making the exploitation surface area broad and accessible to attackers who may already have reconnaissance access to the network.
The operational impact of this vulnerability extends beyond simple data exfiltration or service disruption. An attacker could potentially use this flaw to perform internal network reconnaissance by targeting internal services such as databases, application servers, or other critical infrastructure components that reside behind firewalls. The vulnerability could also enable attackers to perform credential theft through access to internal authentication systems, or to launch further attacks against other systems within the network. Additionally, the compromised server could be used as a pivot point for lateral movement, allowing attackers to escalate their privileges and expand their access within the organization's infrastructure. The exposure of internal systems through this vulnerability could lead to significant data breaches, system compromise, or regulatory compliance violations depending on the nature of the accessed resources.
Organizations should implement immediate mitigations including network segmentation to restrict access to the Automation 360 Control Room services, deployment of web application firewalls to monitor and filter incoming requests, and implementation of strict input validation for all API endpoints. The most effective long-term solution involves upgrading to versions of Automation 360 that have patched this vulnerability, as provided by Automation Anywhere. Additional security measures should include monitoring for unusual outbound network connections from the affected servers, implementing network access controls to prevent lateral movement, and conducting thorough security assessments of the affected systems. Organizations should also consider implementing application-level controls such as request filtering, URL validation, and restricting outbound connections from the server to prevent unauthorized external communications. Regular security updates and vulnerability assessments are crucial to maintaining protection against similar threats in the future.