BeyondTrust has disclosed particulars of a important security flaw in Privileged Distant Entry (PRA) and Distant Assist (RS) merchandise that might probably result in the execution of arbitrary instructions.
Privileged Distant Entry controls, manages, and audits privileged accounts and credentials, providing zero belief entry to on-premises and cloud assets by inner, exterior, and third-party customers. Distant Assist permits service desk personnel to securely connect with distant programs and cellular units.
The vulnerability, tracked as CVE-2024-12356 (CVSS rating: 9.8), has been described as an example of command injection.
“A important vulnerability has been found in Privileged Distant Entry (PRA) and Distant Assist (RS) merchandise which may enable an unauthenticated attacker to inject instructions which can be run as a website consumer,” the corporate stated in an advisory.
An attacker may exploit the flaw by sending a malicious consumer request, successfully resulting in the execution of arbitrary working programs inside the context of the location consumer.
The difficulty impacts the next variations –
- Privileged Distant Entry (variations 24.3.1 and earlier) – Mounted in PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2
- Distant Assist (variations 24.3.1 and earlier) – Mounted in RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2
A patch for the vulnerability has already been utilized to cloud situations as of December 16, 2024. Customers of on-premise variations of the software program are really useful to use the newest fixes if they don’t seem to be subscribed to automated updates.
“If prospects are on a model older than 22.1, they might want to improve in an effort to apply this patch,” BeyondTrust stated.
The corporate stated the shortcoming was uncovered throughout an ongoing forensics investigation that was initiated following a “security incident” on December 2, 2024, involving a “restricted variety of Distant Assist SaaS prospects.”
“A root trigger evaluation right into a Distant Assist SaaS situation recognized an API key for Distant Assist SaaS had been compromised,” BeyondTrust stated, including it “instantly revoked the API key, notified identified impacted prospects, and suspended these situations the identical day whereas offering different Distant Assist SaaS situations for these prospects.”
BeyondTrust additionally stated it is nonetheless working to find out the trigger and impression of the compromise in partnership with an unnamed “cybersecurity and forensics agency.”
