############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Privileged Remote Access (PRA) # Vendor: BeyondTrust # CSNC ID: CSNC-2022-018 # CVE ID: CVE-2023-23632 # Subject: Session take over / Privilege Escalation # Severity: High # Effect: Locally exploitable # Author: Christian Feuchter # Date: 02.10.2023 # ############################################################# Introduction ------------ BeyondTrust Privileged Remote Access controls, manages, and audits privileged accounts and credentials. This enables just-in-time, zero trust access to on-premises and cloud resources by internal, external, and third-party users [1]. Compass Security identified an incorrect verification of a secret, allowing a low privileged malicious process or another user on the same host to connect to a jump item's (network device, server, etc.) shell without any further authentication. Affected -------- Vulnerable: * BeyondTrust Privileged Remote Access (PRA) 22.2.x / 22.3.x / 22.4.x Technical Description --------------------- When the usage of external tools for shell jump sessions is allowed, users can enable the feature in their local BeyondTrust Access Console Client. If the connection to a jump item is established, a local (127.0.0.1) SSH listener is started, and the connection string is displayed in the Access Console Client. The connection string contains a randomly generated secret as username parameter. This string is supposed to mitigate the risk of unauthorized access to the local SSH listener by other users on the same host or low-privileged malicious processes. However, the identified weakness lies in the product's flawed validation of this secret. Instead of properly verifying the whole secret, the system accepts it if the provided characters are in the correct position but does not check the number of characters provided. In other words, only the first correct character is required to establish a connection to the jump item without the need for any further authentication. Since no bruteforce protection is implemented, the first character can be guessed quickly. This allows a reliable bypass of the authentication mechanism and gain unauthorized access to the jump item. Steps to reproduce: 1. Enable the "Open Shell Jump Sessions with an External Tool" setting in the BeyondTrust Access Console client [2]. 2. Connect to a jump item and copy the SSH connection string including the secret in in the username (-l parameter). 3. Delete all but the first character of the secret (-l parameter). Use the modified SSH connection string with the truncated secret (-l parameter) to connect to the jump item. Vulnerability Classification ---------------------------- CVSS v3.1 Metrics: - CVSS Base Score: 8.6 (High) - CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Workaround / Fix ---------------- Workaround: Disallow the usage of external tools for Shell Jump sessions. Fix: Privileged Remote Access should be updated to version 22.3.3 / 23.1.1 or newer [3]. Timeline -------- 2022-12-02: Discovery by Christian Feuchter 2022-12-22: Initial vendor notification 2023-01-03: Initial vendor response 2023-01-16: Assigned CVE-2023-23632 2023-05-09: Release of fixed Version / Patch 2023-06-09: Coordinated public disclosure 2023-08-24: Coordinated public disclosure 2023-10-02: Disclosure of advisory References ---------- [1] https://www.beyondtrust.com/products/privileged-remote-access [2] https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/settings.htm [3] https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019434