=== Details ========================================================
Vendor: BeyondTrust
Product: Privileged Remote Access (PRA)
Subject: PRA connection takeover
CVE ID: CVE-2025-0217
CVSS: (not yet scored)
Author: Paul Szabo <psz@maths.usyd.edu.au>
Date: 2025-01-15
=== Introduction ===================================================
I noticed an issue in
BeyondTrust Privileged Remote Access (PRA) [1]
when using the PRA "Desktop Access Console" with the
"Open Shell Jump Sessions with an External Tool" option [2]
for accessing Linux servers.
=== Affected version ===============================================
BeyondTrust Privileged Remote Access (PRA) 24.3
=== Technical Description ==========================================
The "Desktop Access Console" creates an SSH tunnel so the command
ssh -l USERNAME -p PORTNUMBER 127.0.0.1
will provide password-less login to the server; the USERNAME and
PORTNUMBER are randomized and shown on the screen of the PRA console.
While the legitimate user is using this SSH command (whether by
clicking "open SSH client" or typing it manually), the command and
arguments can be observed by any other user on the client machine,
simply by using the command
wmic process get commandline
on Windows, or
ps -ef
on Mac or Linux. Any user could then run that same SSH command to
take over the tunneled connection, obtaining privileged login access
to the server.
Steps to reproduce:
1. Legitimate user to use the PRA "Desktop Access Console" with the
"Open Shell Jump Sessions with an External Tool" option enabled,
and open an SSH client.
2. Another user on same client machine to observe the SSH command
line of the legitimate user, then use same command and obtain
privileged access to the server.
This clearly is an issue on multi-user client machines. At some
institutions, anyone with a corporate login can log in to some
laptops, then those also are a target for an attacker to leave an
attacking script as a background task.
=== Workaround =====================================================
Refrain from using the external tools option. Arguably, the only
purpose of the "Desktop Access Console" is to use external tools:
do not use.
=== Fix ============================================================
(none yet)
=== Timeline =======================================================
2024-11-28 Discovery by Paul Szabo
2024-12-04 Reported to security@beyondtrust.com
2024-12-11 Reported to secure@beyondtrust.com
2024-12-17 Initial response from BeyondTrust
2024-12-27 BeyondTrust does not consider this a vulnerability, and
will leave it up to customers to disable external tools
2024-01-04 BeyondTrust evaluating multiple different solutions
2024-01-04 CVE assigned by BeyondTrust [3]
2024-01-14 Maybe invalid on Windows, BeyondTrust cannot reproduce
2024-01-15 Suggested identd verify to BeyondTrust
=== Comments =======================================================
This issue was observed for Linux servers. I do not have access to
Windows servers, do not know whether affected by a similar issue.
This issue is similar to CVE-2023-23632 [4,5], and with same impact.
Curious how:
- this issue was not noticed back then, and
- CVE-2023-23632 is missing from the BeyondTrust advisories page [6].
Curious how BeyondTrust persists with a secret username, when could
secure the connection with SSH keys, or verify the connecting user
like identd [7].
=== References =====================================================
[1] https://www.beyondtrust.com/products/privileged-remote-access
[2] https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/settings.htm
[3] https://www.cve.org/CVERecord?id=CVE-2025-0217
[4] https://www.cve.org/CVERecord?id=CVE-2023-23632
[5] https://www.compass-security.com/fileadmin/Research/Advisories/2023_03_CSNC-2022-018_PRA_Privilege_Escalation.txt
[6] https://www.beyondtrust.com/trust-center/security-advisories
[7] https://en.wikipedia.org/wiki/Ident_protocol
====================================================================
Paul Szabo psz@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics University of Sydney Australia