Critical Zero-Day Vulnerabilities in Atera Windows Installers Expose Users to Privilege Escalation Attacks

July 24, 2023

Two critical zero-day vulnerabilities were found in Windows Installers for Atera's remote monitoring and management software, posing a risk for privilege escalation attacks. These security flaws were discovered by Mandiant on February 28, 2023, and were assigned the identifiers CVE-2023-26077 and CVE-2023-26078. Atera has since addressed these vulnerabilities in versions 1.8.3.7 and 1.8.4.9, released on April 17, 2023, and June 26, 2023, respectively.

Security researcher Andrew Oliveau highlighted the potential security risks associated with these vulnerabilities, stating, 'The ability to initiate an operation from a NT AUTHORITYSYSTEM context can present potential security risks if not properly managed.' He further elaborated that misconfigured Custom Actions operating as NT AUTHORITYSYSTEM could be exploited by attackers to execute local privilege escalation attacks. Successful exploitation could potentially allow the execution of arbitrary code with elevated privileges.

Both vulnerabilities were found in the MSI installer's repair functionality, potentially creating a situation where operations are initiated from an NT AUTHORITYSYSTEM context even by a standard user. According to Mandiant, Atera Agent is susceptible to a local privilege escalation attack that can be exploited through DLL hijacking (CVE-2023-26077), which could then be used to gain a Command Prompt as the NT AUTHORITYSYSTEM user.

The second vulnerability, CVE-2023-26078, relates to the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process. This could open a command window, which, if executed with elevated privileges, can be exploited by an attacker to perform a local privilege escalation attack.

Oliveau warned that 'Misconfigured Custom Actions can be trivial to identify and exploit, thereby posing significant security risks for organizations.' He urged software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITYSYSTEM operations triggered by MSI repairs.

The disclosure of these vulnerabilities coincides with Kaspersky's revelation of a severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that has been actively exploited by threat actors. While Microsoft had previously disclosed that Russian nation-state groups weaponized the bug since April 2022, Kaspersky found evidence that exploit attempts were made by an unknown attacker targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month prior to the public disclosure.

Related News

• Russian Hackers Conducting Widescale Credential-Stealing Attacks, Warns Microsoft
• Zero-Click Windows Vulnerability Allows NTLM Credential Theft
• Microsoft Offers Guidance on Detecting Outlook Zero-Day Exploits
• Microsoft Warns of Outlook Zero-Day Exploitation, Offers Detection Script
• Microsoft Outlook Vulnerability Exploited in NTLM-Relay Attacks

Latest News

• Over 15,000 Citrix Servers Susceptible to Attacks via CVE-2023-3519
• Atlassian Issues Security Advisories for Confluence and Bamboo Vulnerabilities
• Critical Infrastructure Organization Breached via Exploited Citrix RCE Bug
• Critical Vulnerabilities in AMI MegaRAC Could Allow Hackers to Sabotage Servers
• Adobe Rushes Out Emergency Patch for ColdFusion Zero-Day Exploited in Attacks