Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks
25.7.23 Vulnerebility The Hacker News
Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks.
The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and June 26, 2023, respectively.
"The ability to initiate an operation from a NT AUTHORITY\SYSTEM context can present potential security risks if not properly managed," security researcher Andrew Oliveau said. "For instance, misconfigured Custom Actions running as NT AUTHORITY\SYSTEM can be exploited by attackers to execute local privilege escalation attacks."
Successful exploitation of such weaknesses could pave the way for the execution of arbitrary code with elevated privileges.
Both the flaws reside in the MSI installer's repair functionality, potentially creating a scenario where operations are triggered from an NT AUTHORITY\SYSTEM context even if they are initiated by a standard user.
According to the Google-owned threat intelligence firm, Atera Agent is susceptible to a local privilege escalation attack that can be exploited through DLL hijacking (CVE-2023-26077), which could then be abused to obtain a Command Prompt as the NT AUTHORITY\SYSTEM user.
CVE-2023-26078, on the other hand, concerns the "execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process," as a result opening up a "command window, which, if executed with elevated privileges, can be exploited by an attacker to perform a local privilege escalation attack."
"Misconfigured Custom Actions can be trivial to identify and exploit, thereby posing significant security risks for organizations," Oliveau said. "It is essential for software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITY\SYSTEM operations triggered by MSI repairs."
The disclosure comes as Kaspersky shed more light on a now-fixed, severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that has come under active exploitation in the wild by threat actors using a specially crafted Outlook task, message or calendar event.
While Microsoft disclosed previously that Russian nation-state groups weaponized the bug since April 2022, evidence gathered by the antivirus vendor has revealed that real-world exploit attempts were carried out by an unknown attacker targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month prior to the public disclosure.