Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks.
The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and June 26, 2023, respectively.
“The ability to initiate an operation from a NT AUTHORITYSYSTEM context can present potential security risks if not properly managed,” security researcher Andrew Oliveau said. “For instance, misconfigured Custom Actions running as NT AUTHORITYSYSTEM can be exploited by attackers to execute local privilege escalation attacks.”
Successful exploitation of such weaknesses could pave the way for the execution of arbitrary code with elevated privileges.
Both the flaws reside in the MSI installer’s repair functionality, potentially creating a scenario where operations are triggered from an NT AUTHORITYSYSTEM context even if they are initiated by a standard user.
According to the Google-owned threat intelligence firm, Atera Agent is susceptible to a local privilege escalation attack that can be exploited through DLL hijacking (CVE-2023-26077), which could then be abused to obtain a Command Prompt as the NT AUTHORITYSYSTEM user.
CVE-2023-26078, on the other hand, concerns the “execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process,” as a result opening up a “command window, which, if executed with elevated privileges, can be exploited by an attacker to perform a local privilege escalation attack.”
“Misconfigured Custom Actions can be trivial to identify and exploit, thereby posing significant security risks for organizations,” Oliveau said. “It is essential for software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITYSYSTEM operations triggered by MSI repairs.”
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
The disclosure comes as Kaspersky shed more light on a now-fixed, severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that has come under active exploitation in the wild by threat actors using a specially crafted Outlook task, message or calendar event.
While Microsoft disclosed previously that Russian nation-state groups weaponized the bug since April 2022, evidence gathered by the antivirus vendor has revealed that real-world exploit attempts were carried out by an unknown attacker targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month prior to the public disclosure.
