Two critical zero-day vulnerabilities were found in Windows Installers for Atera's remote monitoring and management software, posing a risk for privilege escalation attacks. These security flaws were discovered by Mandiant on February 28, 2023, and were assigned the identifiers CVE-2023-26077 and CVE-2023-26078. Atera has since addressed these vulnerabilities in versions 18.104.22.168 and 22.214.171.124, released on April 17, 2023, and June 26, 2023, respectively.
Security researcher Andrew Oliveau highlighted the potential security risks associated with these vulnerabilities, stating, 'The ability to initiate an operation from a NT AUTHORITYSYSTEM context can present potential security risks if not properly managed.' He further elaborated that misconfigured Custom Actions operating as NT AUTHORITYSYSTEM could be exploited by attackers to execute local privilege escalation attacks. Successful exploitation could potentially allow the execution of arbitrary code with elevated privileges.
Both vulnerabilities were found in the MSI installer's repair functionality, potentially creating a situation where operations are initiated from an NT AUTHORITYSYSTEM context even by a standard user. According to Mandiant, Atera Agent is susceptible to a local privilege escalation attack that can be exploited through DLL hijacking (CVE-2023-26077), which could then be used to gain a Command Prompt as the NT AUTHORITYSYSTEM user.
The second vulnerability, CVE-2023-26078, relates to the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process. This could open a command window, which, if executed with elevated privileges, can be exploited by an attacker to perform a local privilege escalation attack.
Oliveau warned that 'Misconfigured Custom Actions can be trivial to identify and exploit, thereby posing significant security risks for organizations.' He urged software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITYSYSTEM operations triggered by MSI repairs.
The disclosure of these vulnerabilities coincides with Kaspersky's revelation of a severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that has been actively exploited by threat actors. While Microsoft had previously disclosed that Russian nation-state groups weaponized the bug since April 2022, Kaspersky found evidence that exploit attempts were made by an unknown attacker targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month prior to the public disclosure.