Critical Zero-Days in Atera’s Windows Installer Exposes Users to Special Escalation Attacks
A zero-day vulnerability in Windows Installer for Atera’s remote monitoring and management software could act as a springboard for launching a privilege escalation attack.
The flaw, discovered by Mandiant on February 28, 2023, has been assigned an identifier CVE-2023-26077 And CVE-2023-26078with issues fixed in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023 and June 26, 2023 respectively.
“The ability to initiate operations from an NT AUTHORITY\SYSTEM context can present a potential security risk if not managed properly,” security researcher Andrew Oliveau said. For example, wrong configuration Custom Actions running as NT AUTHORITY\SYSTEM could be exploited by an attacker to execute a local privilege escalation attack.”
Successful exploitation of such weaknesses can pave the way for arbitrary code execution with higher privileges.
Both flaws reside in the repair functionality of the MSI installer, potentially creating a scenario where the operation is triggered from the NT AUTHORITY\SYSTEM context even if executed by a standard user.
According to Google’s threat intelligence firm, Agent Atera is vulnerable to local privilege escalation attacks that can be exploited via DLL piracy (CVE-2023-26077), which can then be abused to get the Command Prompt as the user NT AUTHORITY\SYSTEM.
CVE-2023-26078, on the other hand, deals with “execution of a system command that triggers the Windows Console Host (conhost.exe) as a child process”, thereby opening a “command window, which, if executed with elevated privileges, can be exploited by an attacker to perform local privilege escalation attacks.”
“Misconfigured Custom Actions can be trivial to identify and exploit, posing a significant security risk to organizations,” Oliveau said. “It is very important for software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITY\SYSTEM operations triggered by MSI fixes.”
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
The reveal comes as Kaspersky warehouse more description of a now-fixed severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that threat actors have actively exploited using custom-built Outlook tasks, messages, or calendar events.
While Microsoft revealed earlier that the Russian nation-state group was weaponizing the bug since April 2022, evidence gathered by antivirus vendors has revealed that real-world exploitation attempts were carried out by unknown attackers targeting governments and critical infrastructure entities in Jordan, Poland, Romania, Turkey and Ukraine a month before the public disclosure.
