Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL UNAUTHENTICATED COMMAND INJECTION IN BEYONDTRUST RS AND PRA, PATCH IMMEDIATELY!
Image
Published : 17/12/2024
Reference:
Advisory #2024-292
Version:
1.0
Affected software:
BeyondTrust: Remote Support (RS) & Privileged Remote Access (PRA), =24.3.1
Type:
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE/CVSS:
CVE-2024-12356 :CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://www.beyondtrust.com/trust-center/security-advisories/bt24-10
Risks
BeyondTrust Remote Support (RS) is a software solution that allows IT support teams to remotely access devices, servers, and other systems. Privileged Remote Access (PRA) is a security solution designed to manage and monitor privileged access to critical infrastructure and systems. Both products provide access to various parts of a network, making it crucial to secure them effectively.
On December 16, 2024, a command injection vulnerability was disclosed affecting both products, up to and including version 24.3.1. This vulnerability allows remote, unauthenticated attackers to execute operating system commands through command injection. Given its potential impact on confidentiality, integrity, and availability, on-premise customers are urged to prioritize patching after thorough testing.
UPDATE !!! on Thursday, 19 December, this vulnerability was listed on the cisa[.]gov website under the Known Exploited Vulnerabilities Catalog section, which means that it's actively exploited by malicious actors and ransomware groups. This poses a significant risk to your infrastructure that you should address promptly. On top of that, there’s a publicly available PoC for it, which increases the risk of exploitation.
Description
CVE-2024-12356, CVSS 9.8
This critical vulnerability affects BeyondTrust Remote Support versions 24.3.1 and earlier, as well as Privileged Remote Access versions 24.3.1 and earlier. Successful exploitation occurs when a malicious client request contains a command injection, allowing an unauthenticated attacker to execute commands on the underlying operating system within the context of the site user.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.