CyberSpecta Logo
VulnerabilitiesBy CyberSpecta

Privilege Escalation Vulnerabilities in Atera Software's Windows Installers

Share

Privilege escalation attacks are a severe concern to organizations, as they can lead to unauthorized access and control over sensitive systems. Mandiant’s red team recently discovered zero-day vulnerabilities in the Windows Installers of Atera remote monitoring and management software. These flaws, designated as CVE-2023-26077 and CVE-2023-26078, could potentially allow attackers to execute arbitrary code with elevated privileges, putting organizations at significant risk.

Understanding the Vulnerabilities:

CVE-2023-26077: DLL Hijacking

One of the identified vulnerabilities in Atera Agent’s Windows Installer revolves around a local privilege escalation attack known as DLL hijacking. The flaw enables attackers to exploit misconfigured Custom Actions running as NT AUTHORITY\SYSTEM to execute arbitrary code from a standard user context. By dropping a malicious payload as one of the missing DLLs, an attacker can gain unauthorized access and eventually achieve Command Prompt access with elevated privileges, posing a significant threat to the affected systems.

CVE-2023-26078: Conhost.exe Exploitation

The second vulnerability, CVE-2023-26078, involves the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process. This action temporarily opens a command window, which can be exploited for a local privilege escalation attack if executed with elevated privileges. The flaw allows attackers to access a web browser as NT AUTHORITY\SYSTEM by freezing the command window and subsequently opening hyperlinks. By manipulating the web browser, attackers can escalate their privileges and gain unauthorized access to critical resources.

Impact and Remediation:

Successful exploitation of these vulnerabilities could lead to severe consequences, such as unauthorized access to sensitive data, system manipulation, and potential sabotage of critical infrastructure. To address these security risks, Atera promptly released fixed versions of its software (1.8.3.7 and 1.8.4.9) to mitigate the impact of the vulnerabilities.

Atera’s Remediation Measures:

For CVE-2023-26077, Atera hardened the permissions of the vulnerable folder (C:\Windows\Temp\AteraUpgradeAgent) to prevent standard users from writing files to it. This measure blocks attackers from exploiting the DLL hijacking vulnerability and reinforces the security of the affected systems.

In the case of CVE-2023-26078, Atera modified its Custom Actions by utilizing WixQuietExec to run system commands in the background silently. This change eliminates the temporary command window opening, significantly reducing the possibility of privilege escalation attacks. The latest version of Atera Agent (1.8.4.9) implements these improvements.

Defensive Considerations for Software Developers:

These privilege escalation vulnerabilities underscore the importance of secure coding practices for software developers. To prevent similar attacks in their own applications, developers should review their Custom Actions thoroughly and consider the following defensive measures:

  1. Avoid using folders with weak permissions for privileged operations, such as C:\Windows\Temp and C:\ProgramData. Instead, utilize C:\Program Files or C:\Program Files (x86), which have default administrative privileges.

  2. Utilize WixQuietExec for running system commands to prevent temporary command window openings and potential exploitation.

  3. Regularly monitor Application event ID 11728 to detect MSI repair privilege escalation attacks. This event ID provides essential information about the affected product, user involvement, and the event date.

Conclusion:

Privilege escalation vulnerabilities in software installers can have severe consequences for organizations. The recent discoveries in Atera Agent’s Windows Installer serve as a reminder of the importance of secure coding practices and prompt patching. Software developers must be vigilant in reviewing their Custom Actions to prevent potential exploits. Likewise, organizations should prioritize timely updates to protect their systems from known vulnerabilities and ensure a robust security posture.

Related News

Critical Vulnerabilities Found in Honeywell Experion Systems Pose Serious Threats to Industrial Infrastructure

Critical Vulnerabilities Found in Honeywell Experion Systems Pose Serious Threats to Industrial Infrastructure

Security researchers from Armis have recently uncovered nine critical vulnerabilities in Honeywell's Experion distributed control system (DCS) products. These vulnerabilities, if exploited, could allow hackers to gain unauthorized access, remotely run code, and alter the operation of the DCS controllers. The potential impact extends beyond business disruptions, as these vulnerabilities pose a risk to critical [...]

Threat Actors Forge Signatures on Kernel-Mode Drivers using Windows Loophole

Threat Actors Forge Signatures on Kernel-Mode Drivers using Windows Loophole

Researchers at Cisco Talos have uncovered a critical vulnerability in the Windows operating system that allows threat actors, primarily native Chinese speakers, to forge signatures on kernel-mode drivers. By exploiting this loophole, malicious actors can load unverified drivers with expired certificates, bypassing Windows' driver signature enforcement. This article delves into the technical details of the [...]