Summary:
Atera Windows installers have been found to have critical zero-day vulnerabilities that expose users to potential privilege escalation attacks. These vulnerabilities, identified as CVE-2023-26077 and CVE-2023-26078, were discovered by Researchers and raise significant concerns due to their potential impact on users of the Atera remote monitoring and management software. Privilege escalation attacks are a type of security exploit that allows attackers to gain higher privileges within a system, potentially leading to complete control over the targeted system. In the case of Atera installers, both vulnerabilities are related to the Microsoft Software Installer (MSI) repair functionality, which can be exploited from a high-privileged system context (NT AUTHORITY\SYSTEM), even if initiated by a standard user. This presents a serious security risk that needs immediate attention.[/subscribe_to_unlock_form]
Summary:
Atera Windows installers have been found to have critical zero-day vulnerabilities that expose users to potential privilege escalation attacks. These vulnerabilities, identified as CVE-2023-26077 and CVE-2023-26078, were discovered by Researchers and raise significant concerns due to their potential impact on users of the Atera remote monitoring and management software. Privilege escalation attacks are a type of security exploit that allows attackers to gain higher privileges within a system, potentially leading to complete control over the targeted system. In the case of Atera installers, both vulnerabilities are related to the Microsoft Software Installer (MSI) repair functionality, which can be exploited from a high-privileged system context (NT AUTHORITY\SYSTEM), even if initiated by a standard user. This presents a serious security risk that needs immediate attention.[emaillocker id="1283"]
CVE-2023-26077 focuses on the Atera Agent and exposes it to a privilege escalation attack through DLL hijacking. DLL hijacking is a technique that takes advantage of how some Windows applications search and load DLL files. An attacker can replace a legitimate DLL with a malicious one, allowing them to execute arbitrary code with elevated privileges. The flaw in Atera's repair functionality makes it susceptible to this attack. When the software attempts to load a DLL from a folder with write permissions for standard users, an attacker can replace it with a malicious version. If successfully exploited, this vulnerability can provide the attacker with a Command Prompt as the high-privileged system user, NT AUTHORITY\SYSTEM.
CVE-2023-26078 deals with the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process. When executed with elevated privileges, this could open a command window that an attacker could use for a local privilege escalation attack. The repair functionality, when running system commands that spawn conhost.exe as a child process, opens a command window that attackers can potentially hijack. By quickly interacting with the window, an attacker could freeze it and gain access to hyperlinks, which can be exploited to open a web browser as NT AUTHORITY\SYSTEM.
These vulnerabilities are highly concerning as they expose Atera users to significant security risks. Privilege escalation attacks can lead to unauthorized access to critical system resources and sensitive data, allowing attackers to wreak havoc on affected systems. Atera users are strongly advised to apply security patches and updates promptly to address these vulnerabilities.
Recommendations:
References:
The following reports contain further technical details:
https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html
[/emaillocker]