BeyondTrust has disclosed details of a critical security flaw in its Privileged Remote Access (PRA) and Remote Support (RS) products that could potentially lead to the execution of arbitrary commands.
Privileged Remote Access monitors, manages, and validates privileged accounts and credentials, offering internal, external, and third-party users zero-trust access to on-premises and cloud resources. Remote support allows support staff to securely connect to remote systems and mobile devices.
Vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), was described as an instance of team introduction.
“A critical vulnerability has been discovered in the Privileged Remote Access (PRA) and Remote Support (RS) products that could allow an unauthenticated attacker to issue commands that execute on behalf of a site user,” the company said in a statement. said in the consulting room.
An attacker could exploit the flaw by sending a malicious client request, effectively causing arbitrary operating systems to execute in the context of the site user.
The issue affects the following versions –
- Privileged Remote Access (versions 24.3.1 and earlier) – Fixed in PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2
- Remote support (versions 24.3.1 and earlier) – fixed in RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2
A patch for the vulnerability has already been applied to cloud instances as of December 16, 2024. Users of local versions of the software are advised to apply the latest patches unless they are subscribed to automatic updates.
“If customers are running a version older than 22.1, they will need to upgrade to apply this patch,” BeyondTrust said.
The company said the flaw was discovered during an ongoing forensic investigation that began after a “security incident” on December 2, 2024. involving “a limited number of Remote Support SaaS customers”.
“A root cause analysis of the Remote Support SaaS issue revealed that the API key for the Remote Support SaaS was compromised” — BeyondTrust saidadding that it “immediately revoked the API key, notified known affected customers, and suspended those instances the same day, providing alternative instances of the Remote Support SaaS to those customers.”
BeyondTrust also said it is still working to determine the cause and effect of the compromise in partnership with an unnamed “cybersecurity and forensics firm.”
