Description
A critical vulnerability has been identified in Privileged Remote Access (PRA) and Remote Support (RS).
Affected Product(s)
- BeyondTrust Privileged Remote Access (PRA) versions up to 24.3.1
- BeyondTrust Remote Support (RS) versions up to 24.3.1
Technical Details
The CVE-2024-12686 vulnerability has been discovered within BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products. This issue arises from an improper neutralization of special elements used in operating system commands, also known as OS Command Injection. By exploiting this flaw, an attacker who already has administrative privileges can inject arbitrary commands into scripts executed by the system, potentially running these commands as a site user.
Privileged Remote Access (PRA) is a secure platform used by organizations to enable remote access to critical systems. It allows administrative tasks to be executed from a remote location, providing an environment where administrators can perform their duties with appropriate access controls and auditing in place. Remote Support (RS), on the other hand, is deployed to aid helpdesk and technical support operations by enabling remote troubleshooting and issue resolution. The specific method of exploitation stems from improper input validation on components handling commands or scripts.
When an application does not properly sanitize user input, especially from entities that already have a degree of privilege, it becomes susceptible to command injection attacks.An attacker can manipulate input data and craft a payload that gets executed in the context of the system’s operating environment. Discovered by security researchers, this vulnerability carries a CVSS v3 severity score of 7.2, classifying it as high severity. Its significance lies in the combination of attack complexity and the level of access required for exploitation. Although administrative privileges are necessary to execute the attack, the compromised commands can have far-reaching consequences, breaching the core of system operations and potentially resulting in a total system compromise.
Affected versions of BeyondTrust’s PRA include 22.2.1 to 24.3.1, while the RS versions impacted range from 9.0.0 to 24.3.1. Both products facilitate communication over authenticated channels, escalating the risk if command injection attacks are executed within trusted sessions. Worst-case scenarios envision scenarios where adversaries leverage this flaw to pivot within the network, establish persistence mechanisms, or exfiltrate sensitive data from compromised systems. Historical context demonstrates that command injection flaws are some of the most devastating vulnerabilities due to their potential impact.
Threat actors who have previously targeted similar flaws in remote access and support tools have been able to achieve inconspicuous execution of malicious commands, sometimes avoiding detection by traditional security mechanisms. In this case, BeyondTrust’s products, being already integral to the infrastructure of many large organizations, present lucrative targets for cybercriminals.
The breach method stands as follows: an attacker with admin privileges interacts with the application interface or interfaces exposed to trusted admin users. By injecting malformed command sequences into input fields or data streams processed by the application, an attacker can cause the backend to execute those commands. These commands could range from creating new user accounts with elevated privileges, modifying existing configurations, extracting sensitive data repositories, or even implanting backdoors for future exploitation. It should be noted that BeyondTrust has swiftly responded to the disclosure of this vulnerability.
Security alerts and advisories have been published, outlining the nature of the flaw and urging affected users to apply the necessary patches provided by the vendor. This proactive approach is essential to mitigating the risks associated with CVE-2024-12686. Given the critical nature of this vulnerability in both PRA and RS tools, it is paramount for organizations to stay vigilant and prioritize the patching process. The issue underlines the importance of input validation and secure coding practices, reinforcing the need for ongoing security assessments and timely updates. The ultimate goal is to fortify remote access systems against unauthorized command execution, maintaining the integrity and security of organizational IT environments.
Weakness
The weakness associated with this vulnerability is classified under CWE-78, “Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’).” This weakness occurs when an application constructs command strings using unsanitized or uncontrolled input, ultimately allowing attackers to manipulate and execute arbitrary commands in the context of the system’s operating environment.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data and execute arbitrary commands on the affected system. The ramifications could include data breaches, unauthorized system modifications, and potential system takeovers, jeopardizing the security and stability of the entire IT infrastructure.
Active Exploitation
We have observed activity from an unspecified adversary group originating from China. This group has been linked with recent attacks on the U.S. Treasury using similar exploitation methods to leverage remote support software vulnerabilities. The specific attacks were aimed at compromising API endpoints and exploiting a digital signing key, leading to unauthorized data access and potential espionage.
Ransomware Association
The vulnerability has not yet been directly linked to any specific ransomware strain. However, the nature of command injection flaws makes them attractive targets for ransomware attackers. Such vulnerabilities can be exploited to install ransomware payloads, establish persistence, and exfiltrate sensitive data before encryption, heightening the risk of ransom demands and data leaks.
Mitigation and Resolution
We have released patches that address this vulnerability. Users of BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) are urged to update to version 24.3.1 or higher immediately to mitigate the risks associated with CVE-2024-12686. Detailed instructions for applying these updates are available on the BeyondTrust Trust Center and support portals.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Verify and download the patches from official BeyondTrust channels to ensure authenticity.
- Review and validate administrative access controls to minimize the risk of privilege abuse.
- Conduct regular security audits and penetration testing to identify and remediate potential vulnerabilities.
- Implement robust input validation and sanitization practices across all applications and scripts.
- Monitor network and system logs for any signs of suspicious activity associated with command injection attacks.
- Educate and train IT staff on best practices for secure software development and exploit mitigation.
References
- NVD Database
- BeyondTrust Security Advisories
- Reddit Discussion: CISA Adds BeyondTrust Flaws
- CVE Details
- Reddit Discussion: Chinese Hackers Breach US Treasury via Remote Support