Executive Summary

Date: January 2025

CVE-2024-12356 is a critical command injection vulnerability identified in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products. This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the site user. The vulnerability has been assigned a CVSS score of 9.8, indicating its critical severity. Although there are no reports of active exploitation or publicly available proof-of-concept exploits, the vulnerability remains a high-value target due to the critical nature of the affected products.

Technical Information

CVE-2024-12356 is a command injection vulnerability that arises from improper neutralization of special elements used in a command. This vulnerability is cataloged under CWE-77 and has been assigned a CVSS 3.1 score of 9.8, reflecting its critical nature. The vulnerability affects BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products, specifically versions up to 24.3.1. The vulnerability allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system with the privileges of the site user. This can lead to unauthorized access, data breaches, and potential operational disruptions.

The vulnerability is particularly concerning due to the widespread use of BeyondTrust's products in managing privileged access and remote support within organizations. These products are integral to maintaining secure access to critical systems and data, making them attractive targets for threat actors. The vulnerability's high CVSS score underscores the potential impact of successful exploitation, which could include unauthorized access to sensitive data, disruption of services, and potential lateral movement within the network.

The vulnerability is characterized by its low attack complexity, requiring no user interaction or privileges to exploit. This makes it an attractive target for attackers seeking to gain a foothold within an organization's network. The vulnerability's network attack vector further increases its risk, as it can be exploited remotely without physical access to the target system.

Exploitation in the Wild

While there are no confirmed reports of exploitation in the wild, the vulnerability has been linked to the Chinese APT group known as Salt Typhoon. This group has a history of targeting high-value sectors, including government networks. The potential for exploitation remains high due to the critical nature of the vulnerability and the role of remote access products in organizational networks. Indicators of Compromise (IOCs) related to this vulnerability include unusual command execution patterns and unauthorized access attempts to systems running BeyondTrust's PRA and RS products.

APT Groups using this vulnerability

Salt Typhoon is a Chinese state-sponsored threat group known for targeting government networks and exploiting zero-day vulnerabilities. The group has been linked to attacks involving CVE-2024-12356, although specific details of exploitation are not publicly available. Salt Typhoon is known for its sophisticated tactics, techniques, and procedures (TTPs), which include leveraging command injection vulnerabilities to gain unauthorized access and execute arbitrary commands. This can lead to data breaches and operational disruptions, particularly in high-value sectors such as government and critical infrastructure.

Affected Product Versions

The vulnerability affects BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products, specifically versions up to 24.3.1. Organizations using these versions are at risk and should prioritize applying the necessary patches and updates to mitigate potential exploitation.

Workaround and Mitigation

To mitigate the risk posed by CVE-2024-12356, organizations should apply vendor-provided patches and updates to affected systems. BeyondTrust has released patches for all supported versions of PRA and RS (22.1.x and higher). For cloud instances, BeyondTrust applied the necessary patches on December 16, 2024. In addition to patching, organizations should implement network segmentation and access controls to limit exposure and reduce the potential impact of an exploit. Regular security assessments and monitoring for unusual activity can also help detect and respond to potential exploitation attempts.

References

For more information on CVE-2024-12356, please refer to the following resources:

• NVD CVE-2024-12356
• BeyondTrust Security Advisory
• Arctic Wolf Blog on CVE-2024-12356

Rescana is here for you

CVE-2024-12356 represents a significant security risk due to its high CVSS score and potential for exploitation by sophisticated threat actors like Salt Typhoon. Organizations using BeyondTrust's PRA and RS products should prioritize patching and implementing robust security measures to mitigate potential impacts. Rescana is committed to supporting our customers in mitigating this and other cybersecurity threats through our Continuous Threat and Exposure Management platform. For further assistance, please contact us at ops@rescana.com.