When BeyondTrust disclosed a critical remote command injection vulnerability affecting all versions of its Privileged Remote Access (PRA) and Remote Support (RS) products in mid-December, the level of concern in the security community was quite high. Critical flaws in highly privileged security products are juicy targets for attackers, and what remains to be seen is the expected long tail of this bug.
The details of the vulnerability (CVE-2024-12356) are not pretty. “All BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions contain a command injection vulnerability which can be exploited through a malicious client request. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user,” the company’s advisory says. The vulnerability was addressed with a patch for RS and PRA 22.1.x and higher.
Unfortunately, highly capable state actors have already targeted BeyondTrust for exploitation. The intrusion at the Department of Treasury in December that involved the use of a stolen BeyondTrust API key has been attributed to a Chinese state-backed threat actor who was able to obtain the key and then target a small number of SaaS RS customers. The Treasury attack has also drawn the attention of a pair of lawmakers, who have sent a letter to the Secretary of the Treasury asking for more information on the intrusion and the department’s awareness of the risks of bugs in third-party software. (BeyondTrust disclosed a second, related vulnerability CVE-2024-12686 that was discovered as part of its internal investigation, and that flaw also has been exploited.)
BeyondTrust has pushed a fix for the critical vulnerability to all of the affected SaaS instances and released patches for self-hosted versions as well, but it’s up to the customers to install this fix. For CVE-2024-12356, Censys data shows 778 exposed on-premises BeyondTrust PRA and RS hosts as of this writing, and many of those instances are associated with colleges and universities, health care systems, and financial services companies, based on inferred attribution from WHOIS lookups and autonomous system names.
Window of Exposure
In the meantime, attackers have had more than a month to digest the details of the vulnerability, find vulnerable targets, and get after it. There isn’t a public exploit available as of yet, but that window of exposure provided plenty of time for well-resourced attackers to develop their own.
The two affected products, as their names suggest, provide privileged, remote access to and support for various enterprise systems. Both are widely deployed in cloud and on-premises environments and Censys data shows 23,743 exposed PRA and RS hosts as of Jan. 31. (Note: Exposed hosts are not necessarily vulnerable hosts.) The vast majority of those are geolocated in the United States, but there are many more scattered across the globe. Of the exposed hosts, 399 are correlated with government agencies, many of them state and local governments, but some in the federal government, and a few in foreign government agencies, based on WHOIS and AS data.
Vulnerabilities such as this one in sensitive products often are relevant for months or years, either because organizations are reluctant to take those products offline to apply a fix or because they are unaware that the affected product is deployed in their environment. Exploitation thus far has been limited, but should a public exploit emerge, things could change quickly, especially given the nature of the vulnerability and the value of the targets.