BeyondTrust Patch Update | Protect Your Systems Today

On December 20, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in BeyondTrust software to its Known Exploited Vulnerabilities (KEV) catalog. This emphasizes the severity and active exploitation of this issue.

BeyondTrust provides tools like Privileged Remote Access (PRA) and Remote Support (RS), which are widely used by organizations to secure sensitive systems and support remote users.

This blog explains the vulnerability, its impact, and actionable steps to protect your systems.

What is the Vulnerability?

The vulnerability, tracked as CVE-2024-12356, is a command injection flaw. Such flaws allow attackers to send unauthorized commands to a system and execute them with the same permissions as legitimate users.

Key Details:

• Severity: CVSS score of 9.8 (critical).
• How it Works: Attackers can exploit the flaw without logging in, gaining control over parts of the system.
• Affected Products:
  • BeyondTrust Privileged Remote Access (PRA) software.
  • BeyondTrust Remote Support (RS) software.

This flaw could allow hackers to impersonate legitimate users and run malicious commands on compromised systems.

Who is at Risk?

Organizations using BeyondTrust software are at risk, especially those using self-hosted versions.

While BeyondTrust has already fixed the flaw for cloud-hosted customers, users of self-hosted versions must act quickly to secure their systems by applying patches.

How to Protect Your Systems

To address the vulnerability, BeyondTrust has released specific patches. Update your software as follows:

1. For Privileged Remote Access (PRA):

   • Apply patches BT24-10-ONPREM1 or BT24-10-ONPREM2.

2. For Remote Support (RS):

   • Apply patches BT24-10-ONPREM1 or BT24-10-ONPREM2.

If you’re unsure of your version or need help applying the patch, consult BeyondTrust’s support team or your IT department.

What Else Happened?

Earlier in December, BeyondTrust suffered a cyberattack. Hackers managed to breach some of its Remote Support SaaS (Software-as-a-Service) instances by misusing a compromised API key. This allowed them to reset passwords for certain local application accounts.

Another Vulnerability Discovered

During their investigation, BeyondTrust identified another issue, CVE-2024-12686, which has a medium severity score of 6.6.

This vulnerability allows attackers with existing administrative privileges to inject and execute commands. While less critical than CVE-2024-12356, it can still pose a significant threat if left unpatched.

Fixes for CVE-2024-12686:

• PRA Patches: BT24-11-ONPREM1 through BT24-11-ONPREM7.
• RS Patches: BT24-11-ONPREM1 through BT24-11-ONPREM7.

Why This Matters

BeyondTrust software secures privileged access to critical systems. If compromised, attackers could:

• Access sensitive data.
• Disrupt operations.
• Escalate attacks within an organization’s network.

Addressing these vulnerabilities quickly is essential to prevent damage to businesses, governments, and other institutions.

Steps to Take

1. Check for Updates:

Confirm your software version and immediately apply the necessary patches.

2. Monitor Your Systems:

Watch for suspicious activity, such as unexpected logins or changes to sensitive accounts.

3. Follow CISA’s Recommendations:

Regularly check CISA's Known Exploited Vulnerabilities (KEV) catalog for updates.

4. Educate Your Team:

Ensure your IT staff understands the importance of applying updates promptly and staying alert to the latest threats.

Conclusion

The vulnerabilities in BeyondTrust software are a reminder of how critical it is to stay updated with security patches. Cyber threats evolve rapidly, and attackers exploit unpatched systems quickly.

By addressing these flaws and following best practices, organizations can significantly reduce their risk and secure their sensitive systems from malicious attacks.

Stay proactive, and stay secure! If you need further guidance, don’t hesitate to reach out.

FAQ:

1. What is the BeyondTrust vulnerability (CVE-2024-12356)?
   It is a command injection flaw in BeyondTrust software that allows attackers to execute unauthorized commands as a legitimate user.

2. Why is CVE-2024-12356 critical?
   With a CVSS score of 9.8, this vulnerability can be exploited without authentication, leading to unauthorized access and control of sensitive systems.

3. Which BeyondTrust products are affected?
   The vulnerability affects BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) software.

4. Who is at risk from this vulnerability?
   Organizations using self-hosted versions of BeyondTrust software are most at risk, as the cloud-hosted versions have already been patched.

5. What patches should I apply to fix CVE-2024-12356?

   • For PRA: Apply BT24-10-ONPREM1 or BT24-10-ONPREM2.
   • For RS: Apply BT24-10-ONPREM1 or BT24-10-ONPREM2.

6. What is CVE-2024-12686?
   It is a medium-severity flaw that allows attackers with administrative access to inject and execute commands.

7. How can I protect my systems?
   Update your software to the latest patched versions, monitor for unusual activity, and follow CISA’s recommendations.

8. How did BeyondTrust respond to the vulnerability?
   BeyondTrust released patches for both vulnerabilities, informed affected customers, and enlisted third-party cybersecurity experts to investigate.

9. What risks do these vulnerabilities pose?
   They could lead to unauthorized access, data breaches, operational disruptions, and further escalation of attacks.

10. Where can I find updates on exploited vulnerabilities?
    Check CISA’s Known Exploited Vulnerabilities (KEV) catalog for regular updates.