Alert essentials:

Both CVE-2024-12356 and CVE-2024-12686 are being exploited and have been added to the CISA Known Exploited Vulnerabilities list.

Successful exploits result in remote code execution and an elevation of privilege to the site user’s context.

Apply patches to vulnerable products as soon as possible.

 

Email Team

 

Detailed threat description:

Update: The medium-severity command injection vulnerability CVE-2024-12686, along with the critical CVE-2024-12356, is being exploited in the wild. Vulnerable versions of PRA and RS products contain these weaknesses, and patches should be deployed immediately to avoid system compromise.

Following a cyberattack from a compromised API key for Remote Support SaaS in early December, Beyond Trust conducted internal forensic investigations when additional threats were discovered.

The identity security leader reports two command injection vulnerabilities in their Privileged Remote Access (PRA) and Remote Support (RS) products.

Critical CVE-2024-12356 allows a remote, unauthenticated attacker to execute underlying operating system commands within the context of a site user.

CVE-2024-12686 allows attackers with administrator privileges to inject commands and upload malicious files on the target.

The manufacturer has released patches for PRA and RS versions 22.1x and higher. As of December 16, 2024, BeyondTrust has automatically applied the necessary patches to PRA and RS cloud-based deployments.

Customers of RS/PRA should only need to apply the patch if they are not subscribed to automatic updates. Customers with local instances are advised to take the following steps:

  • Apply patches; ensure the appropriate patch is applied via the /appliance interface
  • Upgrade older versions; if running versions older than 22.1, upgrade to a supported version to access the patches
  • “On-premises customers of RS/PRA should apply the patch if their instance is not subscribed to automatic updates,” the advisory urges

Both vulnerabilities were exploited and added to the CISA Known Exploited list. Federal agencies have until February 3, 2025, to apply patches or discontinue using the products. Customers should update vulnerable products, conduct a thorough security assessment, implement additional security measures if needed, and stay alert for further updates as the investigation continues.

 

Impacts on healthcare organizations:

Exploitation of these vulnerabilities could have numerous severe impacts. Attackers can gain complete control over affected systems, potentially disrupting business operations or using them as a foothold for further attacks.

Hackers may only be interested in exfiltrating data for extortion, which could risk exposure of patient data and harm to a hospital’s reputation.

Businesses will reduce the risk of breaches by adopting strong cyber hygiene principles and applying device updates as they become available.

Affected Products / Versions:

Privileged Remote Access (PRA): Versions 24.3.1 and earlier.

Remote Support (RS): Versions 24.3.1 and earlier.

CVEs
CVE-2024-12356 – CWE-77 – (CVSS 9.8)
CVE-2024-12686 – CWE-78 – (CVSS 7.2)

Indicators of Compromise (IoCs)

IPv4 Addresses:

  • 144.114.85
  • 93.119.175
  • 230.183.1
  • 81.209.168

IPv6 Addresses:

  • 2604:a880:400:d1::7293:c001
  • 2604:a880:400:d1::72ad:3001
  • 2604:a880:400:d1::7716:1
  • 2604:a880:400:d1::7df0:7001
  • 2604:a880:400:d1::8622:f001

 

Recommendations

Engineering recommendations:

  • Deploy patches to vulnerable versions
  • Users on versions older than 22.1.x will need to upgrade to a supported version before applying the security patch
  • Review administrative access and limit to essential personnel only
  • Check for any suspicious activities that might indicate an exploitation attempt
  • Tenable plugins are available for the threats.
    • 213464: BeyondTrust Remote Support (RS) <= 24.3.1 Multiple Vulnerabilities
    • 213465: BeyondTrust Privileged Remote Access (PRA) <= 24.3.1 Multiple Vulnerabilities

 

Leadership/ Program recommendations:

The company has notified affected users with cloud deployments, while those with on-prem installations should check for indicators of compromise.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: