BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356)

BeyondTrust has fixed an unauthenticated command injection vulnerability (CVE-2024-12356) in its Privileged Remote Access (PRA) and Remote Support (RS) products that may allow remote code execution, and is urging organizations with on-premise installations to test the patch and implement it quickly.

CVE-2024-12356 BeyondTrust incident

About CVE-2024-12356

BeyondTrust Privileged Remote Access is an enterprise solution that mediates secure remote access to enterprise environments for employees and trusted vendors. BeyondTrust Remote Support allows organizations’ IT helpdesk personnel to securely connect to and provide support for remote systems.

CVE-2024-12356 is a command injection vulnerability stemming from the improper neutralization of special elements used in commands. It can be triggered via a malicious client request, and may allow unauthenticated remote attackers to execute underlying operating system commands within the context of the site user.

No privileges and no user interaction is required for a successful exploitation, and the complexity of the attack is deemed to be “low”.

BeyondTrust has confirmed that the vulnerability affects all versions of the two software solutions, up until and including v24.3.1.

“A patch has been applied to all RS/PRA cloud customers as of December 16, 2024 that remediates this vulnerability,” the company said.

“On-premise customers of RS/PRA should apply the patch if their instance is not subscribed to automatic updates in their /appliance interface. If customers are on a version older than 22.1, they will need to upgrade in order to apply this patch.”

No alternative mitigations or workarounds are available.

UPDATE (December 19, 2024, 05:30 a.m. ET):

BeyondTrust has released patches for another command injection vulnerability (CVE-2024-12686) in PRA/RS.

Security advisories for the two vulnerabilities don’t say how the flaws were discovered, but a separate report mentions them having been identified during a forensics investigation into a recent security incident.

“Potentially anomalous behavior was detected by our Information Security team on December 2nd, 2024, tied to one customer instance of Remote Support SaaS, and the team immediately commenced an investigation,” the company said.

On December 5th, the team confirmed that the anomalous behavior impacted a “limited number” of instances of Remote Support SaaS, which were then suspended and quarantined for forensic analysis.

Affected customers were notified, provided with alternative TS SaaS instances, and a compromised Remote Support SaaS API key was identified and revoked.

“We continue to pursue all possible paths as part of the forensic analysis, including our work with external forensic parties, to ensure we conduct as thorough an investigation as possible. We also continue to communicate and work closely with all known affected customers and will provide updates here until our investigation is concluded,” the company stated on Wednesday.

Whether the two discovered vulnerabilities have been exploited to compromise customers or were merely unearthed during this investigation is unclear. We’ve reached out to BeyondTrust for clarification, and we’ll update this article if we hear back from them.

UPDATE (December 19, 2024, 03:50 p.m. ET):

Unfortunately, BeyondTrust is seemingly not ready to answer specific questions about the discovered vulnerabilities.

“Our investigation is ongoing, and we are continuing to work with independent third-party cybersecurity firms to conduct a thorough investigation. At this time, BeyondTrust is focused on ensuring that all customer instances—both cloud and self-hosted—are fully updated and secure,” a company spokesperson told Help Net Security.

“Our priority remains supporting the limited number of customers impacted and safeguarding their environments. We will continue to provide regular updates via our website as our investigation progresses.”

But CISA has added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog, so it seems likely that this incident involved its exploitation.

Affected users with deployments in the cloud have been notified by the company, while those with on-prem installations would do well to check for the presence of indicators of compromise BeyondTrust has previously shared.

OPIS OPIS

OPIS

Don't miss