Full Report
BeyondTrust has disclosed details of a critical security flaw in Privileged Remote Access (PRA) and Remote Support (RS) products that could potentially lead to the execution of arbitrary commands. Privileged Remote Access controls, manages, and audits privileged accounts and credentials, offering zero trust access to on-premises and cloud resources by internal, external, and third-party users.
Analysis Summary
# Vulnerability: Critical Command Injection in BeyondTrust PRA and RS
## CVE Details
- CVE ID: CVE-2024-12356
- CVSS Score: 9.8 (Critical)
- CWE: Command Injection
## Affected Systems
- Products: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)
- Versions: PRA versions 24.3.1 and earlier, RS versions 24.3.1 and earlier
- Configurations: On-premise installations are primarily concerned if not subscribed to automatic updates. Cloud instances were patched on December 16, 2024. Users on versions older than 22.1 must upgrade to apply the patch.
## Vulnerability Description
A critical command injection flaw exists in BeyondTrust PRA and RS products. This vulnerability allows an **unauthenticated attacker** to inject arbitrary operating system commands that are executed with the privileges of the site user by sending a specially crafted client request.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the advisory was issued immediately following a security incident involving a compromised API key for Remote Support SaaS customers on December 2, 2024, suggesting potential active threat context.
- Complexity: Implied to be **Low** given the requirement is only an unauthenticated attacker sending a malicious client request.
- Attack Vector: **Network**
## Impact
- Confidentiality: High (Ability to execute arbitrary commands likely leads to data exposure)
- Integrity: High (Ability to execute arbitrary commands allows system modification)
- Availability: High (Ability to execute arbitrary commands allows denial of service or system disruption)
## Remediation
### Patches
- **Privileged Remote Access (PRA):** Fixed in patch **BT24-10-ONPREM1** or **BT24-10-ONPREM2**.
- **Remote Support (RS):** Fixed in patch **BT24-10-ONPREM1** or **BT24-10-ONPREM2**.
- Cloud instances were patched on December 16, 2024.
### Workarounds
- For on-premise customers on versions older than 22.1, an **upgrade** to a patched version is required to apply the available fix.
## Detection
- Detection strategies were not specified in this summary, but the vulnerability stems from malicious client requests leading to command execution. Monitoring for unexpected or anomalous commands executed by site users originating from external network traffic interacting with PRA/RS endpoints may be relevant.
- The context mentions a security incident where an API key for Remote Support SaaS was compromised; reviewing logs for suspicious API key usage or unexpected outbound activity from the service related to the period around December 2, 2024, is prudent.
## References
- Vendor Advisory: https://www.beyondtrust.com/trust-center/security-advisories/bt24-10
- Remote Support SaaS Investigation: https://www.beyondtrust.com/remote-support-saas-service-security-investigation