Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks.
The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and
BVTech San Antonio | Next-Gen Managed IT Services
One Comment
Jordan BVTech
At BVTech LLC, we strive to keep you updated on critical cybersecurity threats. Recently, serious zero-day vulnerabilities were detected in Windows Installers for the Atera remote monitoring and management software. These vulnerabilities potentially expose users to privilege escalation attacks.
Mandiant, a notable cybersecurity company, discovered these flaws (CVE-2023-26077 and CVE-2023-26078) on February 28, 2023. Atera addressed these issues in their versions 1.8.3.7 and 1.8.4.9, released on April 17 and June 26, 2023, respectively.
Andrew Oliveau, a respected security researcher, points out that these vulnerabilities arise from misconfigured Custom Actions that can be manipulated by attackers to execute local privilege escalation attacks when operating from an NT AUTHORITY\SYSTEM context.
Both vulnerabilities are located in the MSI installer’s repair function. The flaws could allow actions to be launched from an NT AUTHORITY\SYSTEM context, even if initiated by a standard user, facilitating the execution of arbitrary code with elevated privileges.
Atera Agent, as per Google’s threat intelligence unit, is susceptible to a local privilege escalation attack, which could be exploited via DLL hijacking (CVE-2023-26077). This flaw could be manipulated to secure a Command Prompt as the NT AUTHORITY\SYSTEM user.
CVE-2023-26078 involves the execution of system commands that initiate the Windows Console Host (conhost.exe) as a child process. If these commands are executed with elevated privileges, attackers could leverage this to perform a local privilege escalation attack.
Oliveau warns of the considerable security risks posed by misconfigured Custom Actions and encourages software developers to review their Custom Actions meticulously.
Meanwhile, Kaspersky has disclosed further details on an actively exploited severe privilege escalation flaw in Windows (CVE-2023-23397). This vulnerability, which was used in targeted attacks on government and critical infrastructure entities, underlines the constant need for vigilance in maintaining robust cybersecurity measures.