CVE-2024-5813 – An authenticated attacker with administrative p... (How to Fix)

Q: What is the severity of CVE-2024-5813?

CVE-2024-5813 has a CVSS score of 5.9 (MEDIUM). An authenticated attacker with administrative privileges can exploit an information leak in BIPS to access SSH private keys from server responses. This affects organizations using vulnerable versions of BeyondTrust Privileged Remote Access (PRA) and Privilege Management for Windows (PMW).

📋 TL;DR

An authenticated attacker with administrative privileges can exploit an information leak in BIPS to access SSH private keys from server responses. This affects organizations using vulnerable versions of BeyondTrust Privileged Remote Access (PRA) and Privilege Management for Windows (PMW).

💻 Affected Systems

Products:

BeyondTrust Privileged Remote Access (PRA)
BeyondTrust Privilege Management for Windows (PMW)

Versions: PRA versions 23.4.1 and earlier, PMW versions 23.4.1 and earlier

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated attacker with high privileges; not exploitable by standard users.

📦 What is this software?

Beyondinsight Password Safe by Beyondtrust

View all CVEs affecting Beyondinsight Password Safe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain SSH private keys, enabling persistent access to systems, lateral movement, and potential full network compromise.

🟠

Likely Case

Privileged attackers exfiltrate SSH keys for targeted systems, leading to unauthorized access and data breaches.

🟢

If Mitigated

Limited impact due to strict access controls, monitoring, and key rotation policies.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated administrative access; no public exploit code known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PRA 23.4.2, PMW 23.4.2

Vendor Advisory: https://www.beyondtrust.com/trust-center/security-advisories/bt24-08

Restart Required: Yes

Instructions:

1. Download patches from BeyondTrust support portal. 2. Apply patches to affected systems. 3. Restart services/systems as required.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative accounts to only trusted personnel and implement strict access controls.

Rotate SSH Keys

linux

Immediately rotate all SSH private keys stored in affected systems.

ssh-keygen -t rsa -b 4096 -f new_key
Replace old keys with new_key.pub on target systems

🧯 If You Can't Patch

Implement strict monitoring of administrative account activity and SSH key usage.
Isolate affected systems from critical network segments and enforce network segmentation.

🔍 How to Verify

Check if Vulnerable:

Check system version against affected versions (PRA/PMW 23.4.1 or earlier).

Check Version:

On Windows: Check installed programs list. On Linux: Check package version via dpkg -l | grep beyondtrust or rpm -qa | grep beyondtrust.

Verify Fix Applied:

Verify system version is PRA/PMW 23.4.2 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual administrative account logins
SSH key access or export events in audit logs

Network Indicators:

Unexpected SSH connections from administrative systems
Anomalous data transfers from BIPS servers

SIEM Query:

source="bips_logs" AND (event_type="key_access" OR user_role="admin")

📊 Metadata

CVE ID: CVE-2024-5813

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-200

Published: June 11, 2024

Last Updated: February 11, 2025

🔗 References

https://www.beyondtrust.com/trust-center/security-advisories/bt24-08 Vendor Advisory
https://www.beyondtrust.com/trust-center/security-advisories/bt24-08 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5813, you might also want to check these: