=== Details ========================================================

Vendor:   BeyondTrust
Product:  Privileged Remote Access (PRA)
Subject:  PRA connection takeover
CVE ID:   CVE-2025-0217
CVSS:     7.8 (high) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Author:   Paul Szabo <[email protected]>
Date:     2025-02-19

=== Introduction ===================================================

I noticed an issue in
BeyondTrust Privileged Remote Access (PRA) [1]
when using the PRA "Desktop Access Console" with the
"Open Shell Jump Sessions with an External Tool" option [2]
for accessing Linux servers.

=== Affected version ===============================================

BeyondTrust Privileged Remote Access (PRA) 24.3

=== Technical Description ==========================================

The "Desktop Access Console" creates an SSH tunnel so the command

  ssh -l USERNAME -p PORTNUMBER 127.0.0.1

will provide password-less login to the server; the USERNAME and
PORTNUMBER are randomized and shown on the screen of the PRA console.

While the legitimate user is using this SSH command (whether by
clicking "open SSH client" or typing it manually), the command and
arguments can be observed by any other user on the client machine,
simply by using the command

  ps -ef

on Mac or Linux, or

  wmic process get commandline

(by privileged users only) on Windows. That other user could then
run that same SSH command to take over the tunneled connection,
obtaining privileged login access to the server.

Steps to reproduce:
1. Legitimate user to use the PRA "Desktop Access Console" with the
   "Open Shell Jump Sessions with an External Tool" option enabled,
   and open an SSH client.
2. Another user on same client machine to observe the SSH command
   line of the legitimate user, then use same command and obtain
   privileged access to the server.

This clearly is an issue on multi-user client machines. At some
institutions, anyone with a corporate login can log in to some
laptops, then those also are a target for an attacker to leave an
attacking script as a background task.

=== Workaround =====================================================

Refrain from using the external tools option. Arguably, the only
purpose of the "Desktop Access Console" is to use external tools:
do not use.

=== Fix ============================================================

(none yet, maybe in version 25.1 scheduled for April 2025)

=== Timeline =======================================================

2024-11-28  Discovered by Paul Szabo
2024-12-04  Reported to [email protected]
2024-12-11  Reported to [email protected]
2024-12-17  Initial response from BeyondTrust
2024-12-27  BeyondTrust does not consider this a vulnerability, and
            will leave it up to customers to disable external tools
2024-01-04  BeyondTrust evaluating multiple different solutions
2024-01-04  CVE-2025-0217 assigned by BeyondTrust [3]
2024-01-14  Somewhat invalid on Windows
2024-01-15  Suggested identd verify to BeyondTrust
2024-01-29  BeyondTrust expects some fix in version 25.1

=== Comments =======================================================

This issue was observed for Linux servers. I do not have access to
Windows servers, do not know whether affected by a similar issue.

This issue is similar to CVE-2023-23632 [4,5], and with same impact.
Curious how:
 - this issue was not noticed back then, and
 - CVE-2023-23632 is missing from the BeyondTrust advisories page [6].

Curious how BeyondTrust persists with a secret username. In Jan2025,
they plan to hide the username with ssh aliases: incomplete fix as
that may only work if the user chooses openssh as external tool, not
for putty lsh etc nor for the many SFTP tools. Maybe should instead
verify the connecting user like identd [7].

=== References =====================================================

[1] https://www.beyondtrust.com/products/privileged-remote-access
[2] https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/settings.htm
[3] https://www.cve.org/CVERecord?id=CVE-2025-0217
[4] https://www.cve.org/CVERecord?id=CVE-2023-23632
[5] https://www.compass-security.com/fileadmin/Research/Advisories/2023_03_CSNC-2022-018_PRA_Privilege_Escalation.txt
[6] https://www.beyondtrust.com/trust-center/security-advisories
[7] https://en.wikipedia.org/wiki/Ident_protocol

====================================================================

Paul Szabo       [email protected]       www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics   University of Sydney    Australia