Advisory ID: BT24-10
CVSSv3 Score: 9.8
CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical
Issue Date: 2024-12-16
CVE(s): CVE-2024-12356
Synopsis: Command Injection Vulnerability
Impacted Products: Remote Support (RS) & Privileged Remote Access (PRA)
Summary
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
Details
All BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions contain a command injection vulnerability which can be exploited through a malicious client request. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user. This issue is fixed through a patch available for all supported releases of RS & PRA 22.1.x and higher.
Mitigation
A patch has been applied to all RS/PRA cloud customers as of December 16, 2024 that remediates this vulnerability.
On-premise customers of RS/PRA should apply the patch if their instance is not subscribed to automatic updates in their /appliance interface. If customers are on a version older than 22.1, they will need to upgrade in order to apply this patch.
Affected Versions
Product | Version |
|---|---|
Privileged Remote Access (PRA) | 24.3.1 and earlier |
Remote Support (RS) | 24.3.1 and earlier |
Fixed Versions
Product | Version |
|---|---|
Privileged Remote Access (PRA) | PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2 dependent on PRA version |
Remote Support (RS) | RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2 dependent on RS version |