Robotic Process Automation (RPA)

Good day,

This is regarding to the subject above; we are here at Kuwait Oil Company (KOC) using IBM RPA Automation solution to automate certain office activities,

Recently the RPA Client was checked by our information security team, and the following findings were reported:

1. A specific hard-coded string (xxxxxxxxxxxxxxxxxxxxxxxxxxx) was found repeatedly and is explicitly named Password or zipFile1.Password. It’s likely a system’s secret
2. Arithmetic operations are performed using long values and the result is then downcast into a 32-bit int without using checked arithmetic. The calculation is int num = (int)(100L * (1L - now.Ticks / dateTime.Ticks)). Without overflow checking, this can lead to silent integer overflow if the result exceeds $\text{Int32.MaxValue}$, causing the value to be silently truncated.
3. The application explicitly lists a large number of specific TLS/SSL ciphersuites(e.g.,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and contains constant references to FIPS compliance (get_TlsFipsCipherSuites, FipsHelper).

All above listed findings were generated after the RPA Client software was decompiled,

Can you pls. advise us with your comments on these findings specially point # 1 and to confirm what password is hardcoded within the application codes

Here is an overview of our setup:

We have IBM RPA 23.0.17 Server installed on windows server OS running on perm connected to MS SQL DB using non-AD Accounts for users to login, RPA Agent is also 23.0.17.

Waiting for your reply.

Emad Abo Omara

System Administrator