Recently, Windows Installers for the Atera remote monitoring and management software were found to have zero-day vulnerabilities, and these flaws could potentially lead to Privilege Escalation attacks.

The issues were discovered by Mandiant on February 28, 2023, and have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078. Atera released versions 1.8.3.7 and 1.8.4.9 on April 17, 2023, and June 26, 2023, respectively, to fix these vulnerabilities.

According to security researchers, these vulnerabilities could allow attackers to execute local Privilege Escalation Attacks if not managed properly. The weaknesses are present in the MSI installer’s repair functionality, which might enable operations to be initiated from an NT AUTHORITY\SYSTEM context, even when started by a standard user.

Mandiant has revealed that Atera Agent is susceptible to a local Privilege escalation attack through DLL hijacking (CVE-2023-26077). This can be exploited to gain access to a Command Prompt as the NT AUTHORITY\SYSTEM user. CVE-2023-26078, on the other hand, involves the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process.

This opens up a command window, which, if executed with elevated privileges, could be exploited by an attacker for a local privilege escalation attack.

Researchers emphasizes that misconfigured Custom Actions can be easily identified and exploited, posing significant security risks for organizations and highlight the importance of thorough review and scrutiny of Custom Actions by software developers to prevent attackers from taking advantage of NT AUTHORITY\SYSTEM operations triggered by MSI repairs.

In addition to this, Kaspersky recently shed light on another severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8), which has been actively exploited in the wild by threat actors. Microsoft had previously disclosed that Russian nation-state groups were using this bug since April 2022.

However, evidence collected by Kaspersky indicates that an unknown attacker targeted government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine with real-world exploit attempts a month before the public disclosure. It’s essential for users to stay vigilant and keep their systems up-to-date with the latest security patches to protect against potential risks.