=== Details ========================================================
Vendor: BeyondTrust
Product: Privileged Remote Access (PRA)
Subject: PRA connection takeover
CVE ID: CVE-2025-0217
CVSS: 7.8 (high) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Author: Paul Szabo <psz@maths.usyd.edu.au>
Date: 2025-03-06
=== Introduction ===================================================
I noticed an issue in
BeyondTrust Privileged Remote Access (PRA) [1]
when using the PRA "Desktop Access Console" with the
"Open Shell Jump Sessions with an External Tool" option [2]
for accessing Linux servers.
=== Affected version ===============================================
BeyondTrust Privileged Remote Access (PRA) 24.3
=== Technical Description ==========================================
The "Desktop Access Console" creates an SSH tunnel so the command
ssh -l USERNAME -p PORTNUMBER 127.0.0.1
will provide password-less login to the server; the USERNAME and
PORTNUMBER are randomized and shown on the screen of the PRA console.
While the legitimate user is using this SSH command (whether by
clicking "open SSH client" or typing it manually), the command and
arguments can be observed by any other user on the client machine,
simply by using the command
ps -Af
on Mac or Linux, or
wmic process get commandline
(by privileged users only) on Windows. That other user could then
run the very same SSH command to take over the tunneled connection,
obtaining privileged login access to the server.
Steps to reproduce:
1. Legitimate user to use the PRA "Desktop Access Console" with the
"Open Shell Jump Sessions with an External Tool" option enabled,
and open an SSH client.
2. Another user on same client machine to observe the SSH command
line of the legitimate user, then use same command and obtain
privileged access to the server.
This clearly is an issue on multi-user client machines. At some
institutions, anyone with a corporate login can log in to some
laptops, then those also are a target for an attacker to leave an
attacking script as a background task.
=== Workaround =====================================================
Refrain from using the external tools option. Arguably, the only
purpose of the "Desktop Access Console" is to use external tools:
do not use.
=== Fix ============================================================
None yet. Some mitigation expected in version 25.1 in April 2025,
then maybe a fix in version 25.2 in Q3 2025.
=== Timeline =======================================================
2024-11-28 Discovered by Paul Szabo
2024-12-04 Reported to security@beyondtrust.com
2024-12-11 Reported to secure@beyondtrust.com
2024-12-17 Initial response from BeyondTrust
2024-12-27 BeyondTrust does not consider this a vulnerability, and
will leave it up to customers to disable external tools
2025-01-04 BeyondTrust evaluating multiple different solutions
2025-01-04 CVE-2025-0217 assigned by BeyondTrust [3]
2025-01-14 Somewhat invalid on Windows
2025-01-15 Suggested identd verify to BeyondTrust
2025-01-29 BeyondTrust expects some mitigation in version 25.1
2025-03-06 BeyondTrust expects a fix in version 25.2
=== Comments =======================================================
This issue is similar to CVE-2023-23632 [4,5], and with same impact.
Curious how:
- this issue was not noticed back then, and
- CVE-2023-23632 is missing from the BeyondTrust advisories page [6].
Curious how BeyondTrust persists with a secret username. They hope
to mitigate in version 25.1 by hiding the username with ssh aliases:
seems useless as that may only work if the user chooses openssh as
external tool, not for putty etc nor the many SFTP tools, may bring
the CVSS score down to 6.7 (medium severity); then hope to fix in
version 25.2 by verifying the connecting user, maybe like identd [7].
This issue was observed for Linux servers. I do not have access to
Windows servers, do not know whether affected by a similar issue.
=== References =====================================================
[1] https://www.beyondtrust.com/products/privileged-remote-access
[2] https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/settings.htm
[3] https://www.cve.org/CVERecord?id=CVE-2025-0217
[4] https://www.cve.org/CVERecord?id=CVE-2023-23632
[5] https://www.compass-security.com/fileadmin/Research/Advisories/2023_03_CSNC-2022-018_PRA_Privilege_Escalation.txt
[6] https://www.beyondtrust.com/trust-center/security-advisories
[7] https://en.wikipedia.org/wiki/Ident_protocol
====================================================================
Paul Szabo psz@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics University of Sydney Australia