Recent findings from cybersecurity firm Mandiant reveal significant zero-day vulnerabilities in Windows Installers associated with Atera’s remote monitoring and management software. These vulnerabilities could potentially be exploited to initiate privilege escalation attacks against affected systems.
Identified on February 28, 2023, these vulnerabilities have been allocated the identifiers CVE-2023-26077 and CVE-2023-26078. Atera addressed these flaws in subsequent updates—versions 1.8.3.7 and 1.8.4.9—released on April 17 and June 26, 2023, respectively.
Andrew Oliveau, a security researcher at Mandiant, emphasized the risks associated with executing operations from an NT AUTHORITY\SYSTEM context. He noted that attack vectors can emerge from misconfigured Custom Actions that are run with these escalated permissions. If exploited, attackers could utilize these vectors to perform local privilege escalation attacks within the system.
The effective manipulation of these vulnerabilities could lead to the execution of arbitrary code with elevated privileges. Central to the identified flaws is the MSI installer’s repair functionality, which could potentially trigger operations from an NT AUTHORITY\SYSTEM context, even when initiated by standard user accounts.
Atera Agent has been flagged as vulnerable to local privilege escalation attacks facilitated by DLL hijacking (CVE-2023-26077). This could enable attackers to gain a Command Prompt with NT AUTHORITY\SYSTEM permissions, thereby further compromising the system’s integrity.
The second vulnerability, CVE-2023-26078, relates to the execution of system commands that activate the Windows Console Host (conhost.exe) as a child process. This issue can create a command window that, if executed with elevated privileges, provides an attack vector for local privilege escalation.
According to Oliveau, misconfigurations in Custom Actions are often easy to identify and exploit, highlighting serious security challenges for organizations. He stressed the importance of rigorous reviews by software developers of their Custom Actions to mitigate the risk of attackers hijacking NT AUTHORITY\SYSTEM operations triggered during MSI repairs.
This disclosure coincides with Kaspersky’s recent insights into another severe privilege escalation flaw in Windows, identified as CVE-2023-23397, which previously had a high CVSS score of 9.8. An exploit for this vulnerability has already been actively utilized in the wild, particularly leveraging specially crafted Outlook tasks and calendar events to target various sectors.
Evidence suggests that attackers, including nation-state actors, have exploited this bug against governmental and critical infrastructure entities in regions such as Jordan, Poland, Romania, Turkey, and Ukraine. This incident underscores the persistent threat posed by sophisticated attacks leveraging known vulnerabilities.
