Security
Version: 1.4
The UiPath Security and Product Engineering teams have completed initial analysis of the vulnerability in the Libwebp library, categorized as CVE-2023-4863, on UiPath products. Note that our assessment is complete, but additional updates will be released to address any products currently listed as mitigated. We will update this page as relevant information is available. Our aim is to enable our customers to quickly mitigate risks to their security posture.
This vulnerability relies on the processing of a specially crafted WebP image. The affected Libwebp library itself is used in most modern browsers, Linux distributions, and a large number of OSS libraries that process web content. For reliable exploitation to occur, an attacker would need to cause a malicious image to be processed by a vulnerable application, as well as manipulate the memory to ensure reliable exploitation. Further, modern browsers and Chromium based applications, such as Electron, run the library in a restricted environment, so an additional vulnerability that escapes the restricted sandbox would be required to successfully exploit this issue. It is possible that simply processing an image by an affected application could achieve less reliable exploitation.
The following constitute our findings to date:
1. Products that contain the vulnerable library but have no known risk because exploitation is already mitigated in these products:
Robot* (Windows) (All Versions)
Studio* (All Versions)
Studio Web (All Versions)
*Assistant is included as part of a common installer for Robot and Studio. Customers leveraging Assistant should update as noted further below.
2. The following products, both cloud service and the on-premises versions, do not contain the vulnerable library and have no known risk:
Activities* (21.10 & Higher)
Orchestrator (All Versions)
Automation Ops (All Versions)
Data Service (All Versions)
Insights (All Versions)
Process Mining (All Versions)
Test Manager (All Versions)
*UiPath.UIAutomation.Activities prior to 21.10 contain the vulnerable library, but are out of support. Please upgrade to a supported version if out of support Activities are being used.
3. An Update is available for the following products, please see details further below on this page in the Available Updates Section:
Assistant (2022.10.0-22.10.10 & 2023.4.0– 2023.4.4)*
Robot (Linux)
*Older versions of Assistant either do not contain the vulnerable library or the risk is already mitigated.
Automation Suite (21.10 - 22.10.7):
Action Center
AI Center
Apps
Automation Hub
Automation Ops
Document Understanding
Task Mining
Based on mitigation already in place, the severity of this vulnerability in Automation Suite products is reduced to CVSS: 2.7 (Low) with the exception of AI Center projects running on Python 3.7 which is categorized with a severity of CVSS: 5.6 (Medium). Customers may further reduce their risk to low by moving projects to Python 3.8 within AI Center. Doing so will reduce the vulnerability score to CVSS: 2.7 (Low).
4. Cloud Products that have been remediated:
Action Center (Cloud)
AI Center (Cloud)
Automation Hub (Cloud)
Automation Ops (Cloud)
Document Understanding (Cloud)
Task Mining (Cloud)
Communications Mining (Cloud)
Integration Service (Cloud)
5. Automation Suite Products with Partial Mitigation in place:
Automation Suite (23.4.2):
Action Center
AI Center
Apps
Automation Hub
Automation Ops
Document Understanding
Task Mining
Based on mitigation already in place, the severity of this vulnerability in Automation Suite products is reduced to CVSS: 2.7 (Low) with the exception of AI Center projects running on Python 3.7 which is categorized with a severity of CVSS: 5.6 (Medium). Customers may further reduce their risk to low by moving projects to Python 3.8 within AI Center. Doing so will reduce the vulnerability score to CVSS: 2.7 (Low).
6. Cloud Products with mitigation in place:
Apps
Based on mitigation put in place, the severity of the vulnerability for Cloud Apps is reduced to a CVSS of 2.7 (Low).
1 – Update all browsers including those on robot machines. All modern internet browsers have provided updates to address this vulnerability. UiPath recommends that all customers update their browsers including those installed on machines with robots or installed on Automation Cloud Robot Virtual Machines.
2 – Consider creating custom detection rules for .webp file format interactions. Many EDR systems provide the means to build detections on file types which can serve to help detect potential risks. Below is an example of how to accomplish this for Microsoft Defender and subsequently quarantine the file. You may need to adjust these instructions to fit your specific implementation.
MS Defender Steps:
In the Microsoft 365 Defender portal, go to Advanced hunting
Write a query to detect execution of .webp files such as the one below:
DeviceFileEvents
| where Timestamp > ago(1d)
| where FileName endswith '.webp'
Once you’ve written and tested your query and are satisfied with the results, click Create detection rule in the top right corner of the Advanced Hunting page
In the Custom detection window, fill out the Alert details and subsequent fields to your desired configuration.
E.g. Actions > Files > Quarantine file
Once you’ve completed the Custom detection setup, click Submit to finish creating your new rule. Reference: Create and manage custom detection rules in Microsoft 365 Defender | Microsoft Learn
3 – Consider Blocking .webp file extensions in email policies. Below is an example of how .webp files can be blocked in Microsoft365 Exchange. You may need to adjust these instructions to fit your specific implantation.
Microsoft Exchange Steps:
Navigate to the M365 Exchange Anti-malware policy dashboard
Select your desired active (On) policy and click Edit protection settings in the details pain.
Ensure Enable the common attachments filter option is selected.
Click Select file types and type webp in the text box at the top of the detail pain.
Click Add, Done, then Save to finish adding .webp to the quarantined attachment file types.
Reference: Anti-malware protection | Microsoft Learn
UiPath Assistant
Patches are available via the Studio Installer for the following vulnerable versions of Assistant:
2023.4.5:
2022.10.11:
Automation Suite Each link below will go to the Release Notes Page where all download links can be found.