Privilege escalation attacks are a severe concern to organizations, as they can lead to unauthorized access and control over sensitive systems. Mandiant’s red team recently discovered zero-day vulnerabilities in the Windows Installers of Atera remote monitoring and management software. These flaws, designated as CVE-2023-26077 and CVE-2023-26078, could potentially allow attackers to execute arbitrary code with elevated privileges, putting organizations at significant risk.
Understanding the Vulnerabilities:
CVE-2023-26077: DLL Hijacking
One of the identified vulnerabilities in Atera Agent’s Windows Installer revolves around a local privilege escalation attack known as DLL hijacking. The flaw enables attackers to exploit misconfigured Custom Actions running as NT AUTHORITY\SYSTEM to execute arbitrary code from a standard user context. By dropping a malicious payload as one of the missing DLLs, an attacker can gain unauthorized access and eventually achieve Command Prompt access with elevated privileges, posing a significant threat to the affected systems.
CVE-2023-26078: Conhost.exe Exploitation
The second vulnerability, CVE-2023-26078, involves the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process. This action temporarily opens a command window, which can be exploited for a local privilege escalation attack if executed with elevated privileges. The flaw allows attackers to access a web browser as NT AUTHORITY\SYSTEM by freezing the command window and subsequently opening hyperlinks. By manipulating the web browser, attackers can escalate their privileges and gain unauthorized access to critical resources.
Impact and Remediation:
Successful exploitation of these vulnerabilities could lead to severe consequences, such as unauthorized access to sensitive data, system manipulation, and potential sabotage of critical infrastructure. To address these security risks, Atera promptly released fixed versions of its software (1.8.3.7 and 1.8.4.9) to mitigate the impact of the vulnerabilities.
Atera’s Remediation Measures:
For CVE-2023-26077, Atera hardened the permissions of the vulnerable folder (C:\Windows\Temp\AteraUpgradeAgent) to prevent standard users from writing files to it. This measure blocks attackers from exploiting the DLL hijacking vulnerability and reinforces the security of the affected systems.
In the case of CVE-2023-26078, Atera modified its Custom Actions by utilizing WixQuietExec to run system commands in the background silently. This change eliminates the temporary command window opening, significantly reducing the possibility of privilege escalation attacks. The latest version of Atera Agent (1.8.4.9) implements these improvements.
Defensive Considerations for Software Developers:
These privilege escalation vulnerabilities underscore the importance of secure coding practices for software developers. To prevent similar attacks in their own applications, developers should review their Custom Actions thoroughly and consider the following defensive measures:
- Avoid using folders with weak permissions for privileged operations, such as C:\Windows\Temp and C:\ProgramData. Instead, utilize C:\Program Files or C:\Program Files (x86), which have default administrative privileges.
- Utilize WixQuietExec for running system commands to prevent temporary command window openings and potential exploitation.
- Regularly monitor Application event ID 11728 to detect MSI repair privilege escalation attacks. This event ID provides essential information about the affected product, user involvement, and the event date.
Conclusion:
Privilege escalation vulnerabilities in software installers can have severe consequences for organizations. The recent discoveries in Atera Agent’s Windows Installer serve as a reminder of the importance of secure coding practices and prompt patching. Software developers must be vigilant in reviewing their Custom Actions to prevent potential exploits. Likewise, organizations should prioritize timely updates to protect their systems from known vulnerabilities and ensure a robust security posture.
