Critical Vulnerability in BeyondTrust Products Exploited in the Wild

2024-12-20

Learn about the importance of patch management and how proactive security measures can protect against critical vulnerabilities and cyber attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical command injection vulnerability in BeyondTrust's Privileged Remote Access and Remote Support products to its Known Exploited Vulnerabilities list due to evidence of active exploitation. The flaw allows unauthorized users to execute arbitrary commands. While BeyondTrust has updated its cloud instances, users with self-hosted versions need to apply specific patches. BeyondTrust was recently targeted in a cyber attack, revealing the vulnerability and leading to further investigation that uncovered another medium-severity flaw. All affected customers have been notified, but the scope of the attack and the identities of the attackers remain unknown.

Key Facts

Risks:

Patch Management, Privilege Escalation, API Vulnerability, Third-Party Vendor/SaaS

Keywords:

BeyondTrust, CVE-2024-12356, Command Injection, Remote Support, Privileged Remote Access, Vulnerability Exploitation

CVE:

CVE-2024-12356; CVE-2024-12686

Affected:

BeyondTrust Privileged Remote Access, BeyondTrust Remote Support

Article Body

CISA Flags Critical Vulnerability in BeyondTrust Software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical security vulnerability in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products. This vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog due to active exploitation.

Vulnerability Details

The vulnerability, identified as CVE-2024-12356, is a command injection flaw with a high severity score of 9.8 out of 10. This flaw allows unauthorized attackers to run arbitrary commands as a site user, potentially leading to severe security breaches. While BeyondTrust has updated its cloud-based solutions, users of self-hosted versions must apply specific patches to secure their systems.

Recommended Patches

For those using self-hosted versions, BeyondTrust recommends updating to the following patches:

Privileged Remote Access (PRA): Versions 24.3.1 and earlier should apply PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2.
Remote Support (RS): Versions 24.3.1 and earlier should apply RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2.

Recent Cyber Attack on BeyondTrust

This vulnerability was discovered following a cyber attack on BeyondTrust, where attackers breached some Remote Support SaaS instances. The breach involved unauthorized access to a Remote Support SaaS API key, allowing attackers to reset passwords for local application accounts.

Additional Vulnerability Identified

BeyondTrust's investigation also revealed another medium-severity vulnerability, CVE-2024-12686, with a score of 6.6. This flaw allows attackers with administrative privileges to inject commands as a site user. The following patches are available for remediation:

Privileged Remote Access (PRA): Apply patches BT24-11-ONPREM1 through BT24-11-ONPREM7, depending on the PRA version.
Remote Support (RS): Apply patches BT24-11-ONPREM1 through BT24-11-ONPREM7, depending on the RS version.

Customer Notification and Current Status

BeyondTrust has notified all affected customers, although details about the scale of the attacks and the identities of the threat actors remain unknown. It's crucial for organizations using BeyondTrust products to apply the recommended patches promptly to mitigate potential risks.

https://thehackernews.com/2024/12/cisa-adds-critical-flaw-in-beyondtrust.html?m=1