BeyondTrust has disclosed particulars of a vital safety flaw in Privileged Distant Entry (PRA) and Distant Assist (RS) merchandise that would probably result in the execution of arbitrary instructions.
Privileged Distant Entry controls, manages, and audits privileged accounts and credentials, providing zero belief entry to on-premises and cloud assets by inner, exterior, and third-party customers. Distant Assist permits service desk personnel to securely hook up with distant programs and cellular units.
The vulnerability, tracked as CVE-2024-12356 (CVSS rating: 9.8), has been described for example of command injection.
“A vital vulnerability has been found in Privileged Distant Entry (PRA) and Distant Assist (RS) merchandise which may enable an unauthenticated attacker to inject instructions which are run as a web site person,” the corporate stated in an advisory.
An attacker may exploit the flaw by sending a malicious shopper request, successfully resulting in the execution of arbitrary working programs inside the context of the positioning person.
The problem impacts the next variations –
- Privileged Distant Entry (variations 24.3.1 and earlier) – Fastened in PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2
- Distant Assist (variations 24.3.1 and earlier) – Fastened in RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2
A patch for the vulnerability has already been utilized to cloud cases as of December 16, 2024. Customers of on-premise variations of the software program are advisable to use the most recent fixes if they don’t seem to be subscribed to automated updates.
“If prospects are on a model older than 22.1, they might want to improve with a view to apply this patch,” BeyondTrust stated.
The corporate stated the shortcoming was uncovered throughout an ongoing forensics investigation that was initiated following a “safety incident” on December 2, 2024, involving a “restricted variety of Distant Assist SaaS prospects.”
“A root trigger evaluation right into a Distant Assist SaaS situation recognized an API key for Distant Assist SaaS had been compromised,” BeyondTrust stated, including it “instantly revoked the API key, notified recognized impacted prospects, and suspended these cases the identical day whereas offering different Distant Assist SaaS cases for these prospects.”
BeyondTrust additionally stated it is nonetheless working to find out the trigger and affect of the compromise in partnership with an unnamed “cybersecurity and forensics agency.”