ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

BeyondTrust PRA/RS vulnerability

By 1 August 2023 August 2nd, 2023 CERT, SOC, Vulnerability

This live blog contains information regarding a vulnerability in BeyondTrust PRA/RS. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on August 1, 2023.

Update 1 August 2023

17:00 | On the 1st of August, BeyondTrust has released a knowledge base article describing a critical vulnerability in its Privileged Remote Access (PRA) and Remote Support (RS) products. The vulnerability has not been assigned a CVE ID yet. Successful exploitation can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user.

The vulnerability is not known to be exploited in the wild, nor is there a public proof-of-concept exploit available. BeyondTrust has released a patch (TRY-21041). A software update fixing the issue is expected soon. It is highly recommended to apply the temporary patch as soon as possible.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

On the 1st of August, BeyondTrust has released a knowledge base article describing a critical vulnerability in its Privileged Remote Access (PRA) and Remote Support (RS) products. The vulnerability has not been assigned a CVE ID yet. Successful exploitation can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user.

The vulnerability is not known to be exploited in the wild, nor is there a public proof-of-concept exploit available. BeyondTrust has released a patch (TRY-21041). A software update fixing the issue is expected soon. It is highly recommended to apply the temporary patch as soon as possible.

Potential Risk

The vulnerability has a CVSS score of 10. The CVSS scale runs from 0 to 10. A score of 10 is rare and implies a low attack complexity and high risk of exploitation with high impact. The vulnerability in BeyondTrust PRA and RS is categorised as “Unauthenticated Command Injection” and allows an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user. The vulnerability can be exploited through a malicious HTTP request.

The vulnerability is not known to be exploited in the wild, nor is there a public proof-of-concept exploit available. The high CVSS score indicates a low exploit complexity. Combined with the exposed character of the solution and access to internal systems, makes this a very critical vulnerability which is advised to be patched as soon as possible.

Detail info

Only two very specific versions of BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) are vulnerable:

  • 23.2.1
  • 23.2.2

For cloud customers: please be aware that these sites have already received the patch and they have been applied without any downtime or interruption to services.

Currently there is a patch available, labelled as TRY-21041, for the impacted versions. The issue will be fixed soon in version 23.2.3. This version is not available at the time of writing this article. Please apply the patch as soon as possible. Once version 23.2.3 is released, it is advised to install this as soon as possible.

For more information regarding the patch, please visit the original article of BeyondTrust (customer login required):

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.