Critical Vulnerabilities in BeyondTrust PRA and RS Products: CVE-2024-12356 & CVE-2024-12686

Introduction

BeyondTrust, a leader in Privileged Access Management (PAM) and Identity Threat Detection and Response (ITDR), provides robust security solutions to protect human and machine identities, endpoints, and access. Despite its advanced security measures, two critical vulnerabilities—CVE-2024-12356 and CVE-2024-12686—have been identified in BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products. These vulnerabilities have the potential to allow attackers to execute commands on compromised systems, posing severe security risks.

This blog details the vulnerabilities, their impact, and provides step-by-step solutions for mitigation and remediation.

Summary of Vulnerabilities

CVE-2024-12356

Description: This command injection vulnerability allows an unauthenticated remote attacker to execute operating system commands within the context of a site user.

Impact: Enables unauthorized command execution by unauthenticated threat actors.

Affected Versions: RS and PRA 24.3.1 and earlier.

CVSS Score: 9.8 (Critical).

CVE-2024-12686

Description: Allows attackers with administrative privileges to upload malicious files and execute operating system commands.

Impact: Facilitates unauthorized command execution and file uploads.

Affected Versions: RS and PRA 24.3.1 and earlier.

CVSS Score: 9.8 (Critical).

Vulnerability Details

Both vulnerabilities stem from inadequate input validation in BeyondTrust’s PRA and RS products.

CVE-2024-12356: Exploited through malicious client requests, allowing unauthenticated attackers to inject and execute commands.

CVE-2024-12686: Exploited via administrative privilege misuse, enabling attackers to upload malicious files and execute commands.

Exploitation Evidence

These vulnerabilities have been actively exploited, as confirmed by the inclusion of CVE-2024-12356 in CISA’s Known Exploited Vulnerabilities list. Additionally, unauthorized access incidents involving BeyondTrust RS SaaS instances and compromised API keys have raised concerns about the exploitation of these vulnerabilities.

Mitigation and Remediation Steps

Step 1: Assess the Environment

Identify Affected Assets:

Inventory all instances of BeyondTrust PRA and RS.

Confirm software versions. Focus on versions 24.3.1 and earlier, which are vulnerable.

Verify Update Status:

Check if your instance is subscribed to automatic updates through the /appliance interface.

Step 2: Update to Fixed Versions

For Cloud-Hosted Instances

BeyondTrust has applied security updates to all cloud-hosted instances. Administrators should:

Verify Update Application:

• Log in to the management console.
• Confirm the latest patch is applied.

Monitor Activity:

• Review audit logs for any suspicious activities post-update.

For On-Premises Instances

Check Version:

• Log in to the appliance interface.
• Navigate to the system update section.
• Identify your current version.

Upgrade Path:

If running a version earlier than 22.1.x, upgrade to this version or higher to apply the patch.

Apply Patch:

• Download the appropriate patch:

          PRA: BT24-10-ONPREM1 or BT24-10-ONPREM2.

          RS: BT24-10-ONPREM1 or BT24-10-ONPREM2.

• Follow BeyondTrust’s installation guide to apply the patch.

Restart Services:

Restart all related services to ensure the patch is fully applied.

Step 3: Enhance Security Measures

Enable Automatic Updates:

• Ensure that the automatic update feature is enabled for future patches.

Restrict Administrative Privileges:

• Limit administrative access to only essential personnel.
• Regularly audit user accounts for privilege misuse.

Harden Configuration:

• Disable unnecessary services and ports.
• Configure firewalls to restrict unauthorized access.

Implement Multi-Factor Authentication (MFA):

• Enforce MFA for all administrative and user accounts.

Monitor Logs:

• Continuously monitor system logs for suspicious activities or anomalies.

Step 4: Verify Mitigation

Run Security Scans:

• Conduct vulnerability scans to confirm successful mitigation.

Test Systems:

• Perform penetration testing to ensure vulnerabilities have been addressed.

Review Audit Logs:

• Check logs for any signs of previous or ongoing exploitation.

Step 5: Communication and Documentation

Notify Stakeholders:

• Inform relevant stakeholders about the vulnerabilities, applied patches, and next steps.

Update Documentation:

• Record all mitigation and remediation actions for future reference.

Train Staff:

• Conduct training sessions to raise awareness of the vulnerabilities and preventive measures.