Critical zero-day vulnerabilities identified in Atera remote monitoring and management software’s Windows Installers are posing significant risks as they expose users to potential privilege escalation attacks.
Security firm Mandiant first discovered these flaws on February 28, 2023, and they have since been assigned the identifiers CVE-2023-26077 and CVE-2023-26078. Atera swiftly responded by releasing remediated versions 184.108.40.206 and 220.127.116.11 on April 17, 2023, and June 26, 2023, respectively.
Security expert Andrew Oliveau warned about the vulnerabilities, explaining that “The ability to initiate an operation from a NT AUTHORITY\SYSTEM context can present potential security risks if not properly managed.” Oliveau went on to add that any misconfigured Custom Actions running as NT AUTHORITY\SYSTEM could be exploited by cybercriminals to conduct local privilege escalation attacks.
If successfully exploited, these flaws could provide cybercriminals with an avenue to execute arbitrary code with elevated privileges. Both vulnerabilities exist within the MSI installer’s repair functionality, potentially leading to a scenario where operations are triggered from an NT AUTHORITY\SYSTEM context, even when initiated by a standard user.
Google’s threat intelligence firm discovered that Atera Agent is vulnerable to a local privilege escalation attack. This can be exploited through DLL hijacking (CVE-2023-26077), which could then be manipulated to obtain a Command Prompt as the NT AUTHORITY\SYSTEM user.
CVE-2023-26078, meanwhile, relates to the execution of system commands that initiate the Windows Console Host (conhost.exe) as a child process. This process could result in a command window that, if executed with elevated privileges, can be exploited by an attacker to perform a local privilege escalation attack.
Andrew Oliveau underscored the risks posed by these vulnerabilities, stating, “Misconfigured Custom Actions can be trivial to identify and exploit, posing significant security risks for organizations.” He further stressed the need for software developers to meticulously review their Custom Actions to avert potential attacks arising from hijacked NT AUTHORITY\SYSTEM operations triggered by MSI repairs.
These revelations surface as Kaspersky uncovers more details on a previously resolved, severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that has been actively exploited. Evidence obtained by the antivirus vendor suggests that an unidentified attacker had targeted government and critical infrastructure entities in countries including Jordan, Poland, Romania, Turkey, and Ukraine, a month before this vulnerability was publicly disclosed.