Critical Zero-Day Vulnerabilities in Atera Windows Installers Expose Users to Privilege Escalation Attacks

July 24, 2023

Two critical zero-day vulnerabilities were found in Windows Installers for Atera's remote monitoring and management software, posing a risk for privilege escalation attacks. These security flaws were discovered by Mandiant on February 28, 2023, and were assigned the identifiers CVE-2023-26077 and CVE-2023-26078. Atera has since addressed these vulnerabilities in versions and, released on April 17, 2023, and June 26, 2023, respectively.

Security researcher Andrew Oliveau highlighted the potential security risks associated with these vulnerabilities, stating, 'The ability to initiate an operation from a NT AUTHORITYSYSTEM context can present potential security risks if not properly managed.' He further elaborated that misconfigured Custom Actions operating as NT AUTHORITYSYSTEM could be exploited by attackers to execute local privilege escalation attacks. Successful exploitation could potentially allow the execution of arbitrary code with elevated privileges.

Both vulnerabilities were found in the MSI installer's repair functionality, potentially creating a situation where operations are initiated from an NT AUTHORITYSYSTEM context even by a standard user. According to Mandiant, Atera Agent is susceptible to a local privilege escalation attack that can be exploited through DLL hijacking (CVE-2023-26077), which could then be used to gain a Command Prompt as the NT AUTHORITYSYSTEM user.

The second vulnerability, CVE-2023-26078, relates to the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process. This could open a command window, which, if executed with elevated privileges, can be exploited by an attacker to perform a local privilege escalation attack.

Oliveau warned that 'Misconfigured Custom Actions can be trivial to identify and exploit, thereby posing significant security risks for organizations.' He urged software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITYSYSTEM operations triggered by MSI repairs.

The disclosure of these vulnerabilities coincides with Kaspersky's revelation of a severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that has been actively exploited by threat actors. While Microsoft had previously disclosed that Russian nation-state groups weaponized the bug since April 2022, Kaspersky found evidence that exploit attempts were made by an unknown attacker targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month prior to the public disclosure.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.