BeyondTrust PRA/RS vulnerability

On the 1^st of August, BeyondTrust has released a knowledge base article describing a critical vulnerability in its Privileged Remote Access (PRA) and Remote Support (RS) products. The vulnerability has not been assigned a CVE ID yet. Successful exploitation can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user.

The vulnerability is not known to be exploited in the wild, nor is there a public proof-of-concept exploit available. BeyondTrust has released a patch (TRY-21041). A software update fixing the issue is expected soon. It is highly recommended to apply the temporary patch as soon as possible.

The vulnerability has a CVSS score of 10. The CVSS scale runs from 0 to 10. A score of 10 is rare and implies a low attack complexity and high risk of exploitation with high impact. The vulnerability in BeyondTrust PRA and RS is categorised as “Unauthenticated Command Injection” and allows an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user. The vulnerability can be exploited through a malicious HTTP request.

The vulnerability is not known to be exploited in the wild, nor is there a public proof-of-concept exploit available. The high CVSS score indicates a low exploit complexity. Combined with the exposed character of the solution and access to internal systems, makes this a very critical vulnerability which is advised to be patched as soon as possible.

Only two very specific versions of BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) are vulnerable:

• 23.2.1
• 23.2.2

For cloud customers: please be aware that these sites have already received the patch and they have been applied without any downtime or interruption to services.

Currently there is a patch available, labelled as TRY-21041, for the impacted versions. The issue will be fixed soon in version 23.2.3. This version is not available at the time of writing this article. Please apply the patch as soon as possible. Once version 23.2.3 is released, it is advised to install this as soon as possible.

For more information regarding the patch, please visit the original article of BeyondTrust (customer login required):

• https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020207

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

More information is available at:

• BeyondTrust KB article (customer login required)