Advisory ID: BT24-01

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Synopsis:

Prior to version 24.1, a local authenticated attacker with privileges to initiate a repair on Privilege Management for Windows could hijack the elevated process to execute arbitrary programs with elevated privileges. This attack is mitigated by anti-tamper restrictions and policy restrictions.

Impacted Product:

Privilege Management for Windows

Mitigation Details:

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

1. Create a new application group (e.g., AppGroup1) with the following criteria:

a. File or Folder Name matches:

--- File or Folder Name: PGUserMode perform matching using: contains

b. Product Name matches:

--- Product Name: BeyondTrust Privilege Management

--- Match case: Yes

--- Perform Match Using: Exact Match

c. Publisher matches:

--- Publisher: BeyondTrust Corporation

--- Match Case: Yes

--- Perform Match Using: Exact Match

d. Product Description matches:

--- Product Description: BeyondTrust Privilege Management User Mode Utility

--- Match Case: Yes

--- Perform Match Using: Exact Match

e. Trusted Ownership matches:

--- Advanced options: only "Force standard user rights on File Open/Save common dialogs" option is enabled

2. Create a new application group (e.g., AppGroup2) with the following criteria:

a. File or Folder Name matches:

--- File or Folder name: *

--- Perform match using: Regular Expressions

b. Parent Process matches:

--- Parent Process Group: AppGroup1 (name of the group you created above)

c. Advanced Options: only "Force standard user rights on File Open/Save common dialogs" option is enabled

3. Create a new Application Rule

--- Target Application Group: AppGroup2 (name of the second group you created above)

--- Action: Allow Execution

--- End User Message: Off

--- Access Token: Enforce User's Default Rights

Affected Versions

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied
Product Version
Privilege Management for Windows Prior to 24.1

Fixed Versions

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied
Product Version
Privilege Management for Windows 24.1

Acknowledgments

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

BeyondTrust would like to thank Andreas Aaris-Larsen of Banshie Cyber Security Services for reporting this vulnerability to us through our secure channel.

References

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied
  1. https://www.cve.org/CVERecord?id=CVE-2024-25083
Want to learn why over 20,000 customers chose BeyondTrust?
Prefers reduced motion setting detected. Animations will now be reduced as a result.