CVE-2020-12615 – This vulnerability in BeyondTrust Privilege Man... (How to Fix)

Q: What is the severity of CVE-2020-12615?

CVE-2020-12615 has a CVSS score of 7.8 (HIGH). This vulnerability in BeyondTrust Privilege Management for Windows allows attackers to steal security tokens when the 'Add Admin' token is configured to run at medium integrity with user ownership. Attackers can apply these stolen tokens to arbitrary processes, potentially escalating privileges. Organizations using affected versions of BeyondTrust Privilege Management for Windows are at risk.

📋 TL;DR

This vulnerability in BeyondTrust Privilege Management for Windows allows attackers to steal security tokens when the 'Add Admin' token is configured to run at medium integrity with user ownership. Attackers can apply these stolen tokens to arbitrary processes, potentially escalating privileges. Organizations using affected versions of BeyondTrust Privilege Management for Windows are at risk.

💻 Affected Systems

Products:

BeyondTrust Privilege Management for Windows

Versions: Through version 5.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects configurations using the 'Add Admin' token feature with medium integrity and user ownership settings.

📦 What is this software?

Privilege Management For Windows by Beyondtrust

View all CVEs affecting Privilege Management For Windows →

Privilege Management For Windows by Beyondtrust

View all CVEs affecting Privilege Management For Windows →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation to SYSTEM/admin level, enabling complete control over the Windows environment.

🟠

Likely Case

Local privilege escalation allowing attackers to gain administrative privileges on compromised systems.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, but still presents security risk.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring initial access.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system, they can exploit this to escalate privileges internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and knowledge of the specific token configuration to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6 SR1 and later

Vendor Advisory: https://www.beyondtrust.com/trust-center/security-advisories/bt22-07

Restart Required: Yes

Instructions:

1. Download BeyondTrust Privilege Management for Windows 5.6 SR1 or later from BeyondTrust support portal. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected systems. 5. Verify installation and functionality.

🔧 Temporary Workarounds

Disable Add Admin Token Feature

windows

Temporarily disable the 'Add Admin' token functionality until patching can be completed.

Use BeyondTrust management console to modify policies and remove Add Admin token configurations

Restrict Token Usage

windows

Configure tokens to run with higher integrity levels or different ownership settings that are not vulnerable.

Modify token policies in BeyondTrust console to avoid medium integrity with user ownership combinations

🧯 If You Can't Patch

Implement strict access controls and monitoring on systems using BeyondTrust Privilege Management
Isolate affected systems from critical network segments and implement application whitelisting

🔍 How to Verify

Check if Vulnerable:

Check BeyondTrust Privilege Management version in Control Panel > Programs and Features, or run 'pmw.exe --version' from command line.

Check Version:

pmw.exe --version

Verify Fix Applied:

Verify installed version is 5.6 SR1 or later, and test token functionality to ensure proper behavior.

📡 Detection & Monitoring

Log Indicators:

Unusual token creation or modification events in BeyondTrust logs
Multiple failed privilege escalation attempts followed by successful ones

Network Indicators:

Not applicable - local privilege escalation

SIEM Query:

source="BeyondTrust" AND (event_type="token_creation" OR event_type="privilege_escalation")

📊 Metadata

CVE ID: CVE-2020-12615

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: December 12, 2023

Last Updated: November 21, 2024

🔗 References

https://www.beyondtrust.com/support/changelog/privilege-management-for-windows-5-6-sr1 Release Notes
https://www.beyondtrust.com/trust-center/security-advisories/bt22-07 Vendor Advisory
https://www.beyondtrust.com/support/changelog/privilege-management-for-windows-5-6-sr1 Release Notes
https://www.beyondtrust.com/trust-center/security-advisories/bt22-07 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12615, you might also want to check these: