CVE-2022-22433
📋 TL;DR
CVE-2022-22433 allows attackers to perform server-side request forgery (SSRF) attacks against IBM Robotic Process Automation. By exploiting improper input validation, attackers can force the application to make DNS lookups or HTTP requests to arbitrary domains, potentially attacking other systems. Organizations using IBM RPA versions 21.0.1 or 21.0.2 are affected.
💻 Affected Systems
- IBM Robotic Process Automation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker could use the vulnerable system as a proxy to attack internal systems, perform port scanning, access cloud metadata services, or launch attacks against third-party systems, potentially leading to data exfiltration or lateral movement.
Likely Case
Attacker uses the vulnerable system to scan internal networks, access internal services, or make requests to external attacker-controlled servers to exfiltrate data or establish command and control channels.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to potential information disclosure about internal network structure and limited service enumeration.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. SSRF vulnerabilities are commonly weaponized in real attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fix or upgrade to version 21.0.3 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/6573913
Restart Required: Yes
Instructions:
1. Download the interim fix from IBM Fix Central. 2. Apply the fix following IBM's installation instructions. 3. Restart the IBM RPA services. 4. Verify the fix is applied by checking the version.
🔧 Temporary Workarounds
Network egress filtering
allRestrict outbound network connections from IBM RPA servers to only necessary destinations
Input validation enhancement
allImplement additional input validation for user-supplied URLs and hostnames in custom automations
🧯 If You Can't Patch
- Implement strict network segmentation to isolate IBM RPA servers from sensitive internal systems
- Deploy web application firewall (WAF) rules to detect and block SSRF patterns in requests
🔍 How to Verify
Check if Vulnerable:
Check IBM RPA version via Control Center or command line. If version is 21.0.1 or 21.0.2, system is vulnerable.Check Version:
Check version in IBM RPA Control Center or consult IBM documentation for version query commands specific to your deployment.Verify Fix Applied:
Verify version is 21.0.3 or later, or confirm interim fix is applied via IBM Fix Central verification methods.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP/DNS requests from IBM RPA servers
- Requests to internal IP addresses or unusual domains
- Multiple failed connection attempts to various ports
Network Indicators:
- IBM RPA servers making requests to unexpected external domains
- Port scanning patterns originating from IBM RPA servers
- Requests to cloud metadata endpoints (169.254.169.254)
SIEM Query:
source="ibm-rpa" AND (dest_ip IN internal_ranges OR dest_domain NOT IN allowed_domains)