Alert essentials:

Two command injection flaws were found in BeyondTrust PRA and RS products. One is critical and can result in an unauthenticated remote code execution.

Apply patches to vulnerable products as soon as possible.

 

Email Team

 

Detailed threat description:

Following a cyberattack from a compromised API key for Remote Support SaaS in early December, Beyond Trust conducted internal forensic investigations when additional threats were discovered.

The identity security leader reports two command injection vulnerabilities in their Privileged Remote Access (PRA) and Remote Support (RS) products.

Critical CVE-2024-12356 allows a remote, unauthenticated attacker to execute underlying operating system commands within the context of a site user.

CVE-2024-12686 allows attackers with administrator privileges to inject commands and upload malicious files on the target.

The manufacturer has released patches for PRA and RS versions 22.1x and higher. As of December 16, 2024, BeyondTrust has automatically applied the necessary patches to PRA and RS cloud-based deployments.

Customers of RS/PRA should only need to apply the patch if they are not subscribed to automatic updates. Customers with local instances are advised to take the following steps:

  • Apply patches ensure the appropriate patch is applied via the /appliance interface
  • Upgrade older versions; if running versions older than 22.1, upgrade to a supported version to access the patches
  • “On-premises customers of RS/PRA should apply the patch if their instance is not subscribed to automatic updates,” the advisory urges

No alternative mitigations or workarounds are available, and it is unclear if the vulnerabilities have been exploited.

Customers should update vulnerable products, conduct a thorough security assessment, implement additional security measures if needed, and stay alert for further updates from BeyondTrust.

 

Impacts on healthcare organizations:

Exploitation of these vulnerabilities could have numerous severe impacts. Attackers could gain full control over affected systems, potentially disrupting business operations or using them as a foothold for further attacks.

Hackers may only be interested in exfiltrating data for extortion, which could risk exposure of patient data and harm to a hospital’s reputation.

Businesses can reduce the risk of breaches by adopting strong cyber hygiene principles and applying device updates as they become available.

 

Affected Products / Versions:

  • Privileged Remote Access (PRA): Versions 24.3.1 and earlier
  • Remote Support (RS): Versions 24.3.1 and earlier

 

CVEs

CVE-2024-12356
CVE-2024-12686

 

Recommendations

Engineering recommendations:

  • Deploy patches to vulnerable versions and upgrade unsupported versions
  • Users on versions older than 22.1.x: Upgrade to a supported version before applying the security patch
  • Review administrative access and limit to essential personnel only
  • Check for any suspicious activities that might indicate exploitation attempts

 

Leadership/ Program recommendations:

The company has notified affected users with cloud deployments, while those with on-prem installations should check for the presence of indicators of compromise BeyondTrust has previously shared.

 

References: