two critical vulnerabilities found in the company’s installer

Zero day vulnerabilities in Windows– software installers Ateradesigned for remote monitoring and control, can serve as an entry point for launching privilege escalation attacks.

Atera is a cloud platform that allows IT professionals to monitor and manage their clients’ computers and servers from a distance. To do this, a special Atera agent is installed on each device, which ensures the connection of specific devices with a central server.

At the end of February, researchers from the company Mandiant discovered that the Atera agent installer contains two critical vulnerabilities that allow arbitrary code to be executed with elevated privileges. Vulnerable software developers were the first to learn about the presence of gaps in their installer and began to actively “cut fixes”. In April, Atera 1.8.3.7 was released with a fix for the first vulnerability found, and in June, Atera version 1.8.4.9 was released, where the second one was fixed.

Last week, after some time had passed since the release of the fixes, Mandiant released detailed report revealing the essence of the identified vulnerabilities.

First vulnerability ( CVE-2023-26077 ) is due to the Atera agent installer using an insecure boot function DLL-libraries. This means that an attacker could use a popular attack method DLL Hijacking and replace one of the libraries that the installer loads with your own, thereby executing the malicious code. In this case, this code is then executed on behalf of the NT AUTHORITY\SYSTEM system user, which has the highest privileges in Windows.

Second vulnerability ( CVE-2023-26078 ) is that the Atera agent installer ran system commands that cause the Windows console window (conhost.exe) to appear. This window also opens as the system user NT AUTHORITY\SYSTEM, and an attacker could take advantage of this fact to execute his commands with elevated privileges.

“The ability to run operations on behalf of NT AUTHORITY\SYSTEM can present potential security risks if not properly controlled,” one of the Mandiant researchers said. For example, misconfigured special actions executing as NT AUTHORITY\SYSTEM can be exploited by attackers to perform privilege escalation attacks.”

Atera customers are advised to update their software to the latest version if they have not already done so.

Recently, this is not the first time that vulnerabilities have been discovered in Windows installers. Company Kaspersky previously reported that a serious vulnerability in Windows (CVE-2023-23397), which allowed the execution of code with elevated privileges using a specially prepared task, message or event in Outlook, was actively used by attackers in real attacks.

“Incorrectly configured custom actions can be extremely easy to detect and exploit, thus presenting serious security risks for organizations,” explained Mandiant. “It is important that software developers carefully check their specific actions to prevent entrapment of NT AUTHORITY\SYSTEM operations triggered by MSI recovery.”