HQ/EMEAFind out how we can help your business
Researchers discovered new critical zero-day flaws in Atera Windows installers, which could allow malicious entities to acquire elevated privileges. Based on reports, the Atera remote monitoring and management software could be the entry point for threat actors to launch attacks.
The vulnerabilities in question are CVE-2023-26077 and CVE-2023-26078, which were immediately resolved by Atera admin in April and June, respectively.
Security researchers stated that if an unauthorised individual acquired the ability to operate from an NT AUTHORITY\SYSTEM context, it could present security risks if not managed properly. An example of this is that a misconfigured Customer Action that runs as NT AUTHORITY\SYSTEM context could be exploited by an attacker to run local privilege escalation attacks.
Moreover, a successful exploit for such a flaw could open a way for threat actors to execute arbitrary codes with elevated privileges. Additionally, both vulnerabilities are within the MSI installer’s repair functionality, creating a situation where the operation could trigger from the NT AUTHORITY\SYSTEM context, even if they start from a standard user.
Atera is prone to multiple exploits that could lead to severe cases of cyberattacks.
Atera Agent attracts actors that execute local privilege escalation attacks. These malicious entities could exploit such weakness via DLL hijacking, which could result in the acquisition of Command Prompts as the NT AUTHORITY\SYSTEM context.
On the other hand, CVE-2023-26078 oversees the execution of system commands that activate the Windows Console Host as a child process. This detail results in the opening of a command window, which, if a user executes with escalated privileges, could be exploited by an attacker to run a local attack.
Experts explained that misconfigured customer actions could be insignificant to identify and exploit for threat actors. Hence, it could pose significant security risks for organisations once hackers use such threats.
Therefore, software developers should meticulously review their Custom Actions to prevent threat actors from hacking the NT AUTHORITY\SYSTEM operations activated by MSI repairs.
Experts expect that researchers could identify more details of such a flaw since it is a minor hiccup. However, organisations should look for threats, as threat actors always seek ways to execute their attacks.
