Login Sign Up

CVE-2020-12613

8.8 HIGH

📋 TL;DR

This vulnerability in BeyondTrust Privilege Management for Windows allows attackers to bypass privilege elevation controls. An attacker can spawn a process with multiple user tokens, and when the Avecto component elevates the process, it fails to remove secondary users, allowing unauthorized privilege retention. This affects organizations using BeyondTrust Privilege Management for Windows up to version 5.6.

💻 Affected Systems

Products:
  • BeyondTrust Privilege Management for Windows
Versions: Up to and including version 5.6
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All configurations using the vulnerable Avecto privilege elevation component are affected.

📦 What is this software?

Privilege Management For Windows by Beyondtrust

View all CVEs affecting Privilege Management For Windows →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete privilege escalation where attackers gain persistent administrative access to Windows systems, potentially leading to full domain compromise.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls and execute code with elevated privileges.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege principles, and monitoring in place.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access.
🏢 Internal Only: HIGH - Attackers with initial access to a Windows endpoint could exploit this to gain elevated privileges and move laterally.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and understanding of Windows security tokens and process spawning.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6 SR1 and later

Vendor Advisory: https://www.beyondtrust.com/trust-center/security-advisories/bt22-11

Restart Required: Yes

Instructions:

1. Download BeyondTrust Privilege Management for Windows 5.6 SR1 or later from BeyondTrust support portal. 2. Install the update following vendor documentation. 3. Restart affected systems to ensure proper application of security fixes.

🔧 Temporary Workarounds

Disable Avecto Privilege Elevation

windows

Temporarily disable the vulnerable Avecto privilege elevation component until patching can be completed.

Consult BeyondTrust documentation for specific Avecto component disablement procedures

🧯 If You Can't Patch

  • Implement strict least privilege principles and limit local administrator access
  • Enhance monitoring for unusual process spawning and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check the installed version of BeyondTrust Privilege Management for Windows via Control Panel > Programs and Features or using PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*BeyondTrust*Privilege*'}

Check Version:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*BeyondTrust*Privilege*'} | Select-Object Name, Version

Verify Fix Applied:

Verify version is 5.6 SR1 or later using the same version check command and confirm no privilege escalation occurs during testing.

📡 Detection & Monitoring

Log Indicators:

  • Multiple user tokens in single process creation events
  • Unusual privilege elevation patterns in Windows security logs
  • Avecto component errors or warnings

Network Indicators:

  • Lateral movement attempts following local privilege escalation

SIEM Query:

EventID=4688 AND ProcessName LIKE '%powershell%' OR ProcessName LIKE '%cmd%' AND SubjectUserName != TargetUserName

📊 Metadata

CVE ID: CVE-2020-12613
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: December 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON