Zero-day vulnerabilities in Home windows Installers for the Atera distant monitoring and administration software program might act as a springboard to launch privilege escalation assaults.
The issues, found by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the problems remediated in variations 188.8.131.52 and 184.108.40.206 launched by Atera on April 17, 2023, and June 26, 2023, respectively.
“The flexibility to provoke an operation from a NT AUTHORITYSYSTEM context can current potential safety dangers if not correctly managed,” safety researcher Andrew Oliveau stated. “For example, misconfigured Customized Actions operating as NT AUTHORITYSYSTEM will be exploited by attackers to execute native privilege escalation assaults.”
Profitable exploitation of such weaknesses might pave the way in which for the execution of arbitrary code with elevated privileges.
Each the issues reside within the MSI installer’s restore performance, probably making a state of affairs the place operations are triggered from an NT AUTHORITYSYSTEM context even when they’re initiated by a typical consumer.
Based on the Google-owned risk intelligence agency, Atera Agent is inclined to an area privilege escalation assault that may be exploited via DLL hijacking (CVE-2023-26077), which might then be abused to acquire a Command Immediate because the NT AUTHORITYSYSTEM consumer.
CVE-2023-26078, alternatively, issues the “execution of system instructions that set off the Home windows Console Host (conhost.exe) as a toddler course of,” consequently opening up a “command window, which, if executed with elevated privileges, will be exploited by an attacker to carry out an area privilege escalation assault.”
“Misconfigured Customized Actions will be trivial to establish and exploit, thereby posing vital safety dangers for organizations,” Oliveau stated. “It’s important for software program builders to totally overview their Customized Actions to forestall attackers from hijacking NT AUTHORITYSYSTEM operations triggered by MSI repairs.”
Defend In opposition to Insider Threats: Grasp SaaS Safety Posture Administration
Fearful about insider threats? We have you coated! Be a part of this webinar to discover sensible methods and the secrets and techniques of proactive safety with SaaS Safety Posture Administration.
The disclosure comes as Kaspersky shed extra mild on a now-fixed, extreme privilege escalation flaw in Home windows (CVE-2023-23397, CVSS rating: 9.8) that has come underneath lively exploitation within the wild by risk actors utilizing a specifically crafted Outlook job, message or calendar occasion.
Whereas Microsoft disclosed beforehand that Russian nation-state teams weaponized the bug since April 2022, proof gathered by the antivirus vendor has revealed that real-world exploit makes an attempt had been carried out by an unknown attacker focusing on authorities and significant infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month previous to the general public disclosure.