Zero-day vulnerabilities in Home windows Installers for the Atera distant monitoring and administration software program may act as a springboard to launch privilege escalation assaults.
The failings, found by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the problems remediated in variations 1.8.3.7 and 1.8.4.9 launched by Atera on April 17, 2023, and June 26, 2023, respectively.
“The flexibility to provoke an operation from a NT AUTHORITYSYSTEM context can current potential safety dangers if not correctly managed,” safety researcher Andrew Oliveau stated. “For example, misconfigured Customized Actions operating as NT AUTHORITYSYSTEM may be exploited by attackers to execute native privilege escalation assaults.”
Profitable exploitation of such weaknesses may pave the way in which for the execution of arbitrary code with elevated privileges.
Each the issues reside within the MSI installer’s restore performance, doubtlessly making a situation the place operations are triggered from an NT AUTHORITYSYSTEM context even when they’re initiated by a typical consumer.
In keeping with the Google-owned risk intelligence agency, Atera Agent is vulnerable to an area privilege escalation assault that may be exploited by DLL hijacking (CVE-2023-26077), which may then be abused to acquire a Command Immediate because the NT AUTHORITYSYSTEM consumer.
CVE-2023-26078, then again, considerations the “execution of system instructions that set off the Home windows Console Host (conhost.exe) as a baby course of,” because of this opening up a “command window, which, if executed with elevated privileges, may be exploited by an attacker to carry out an area privilege escalation assault.”
“Misconfigured Customized Actions may be trivial to establish and exploit, thereby posing vital safety dangers for organizations,” Oliveau stated. “It’s important for software program builders to completely overview their Customized Actions to forestall attackers from hijacking NT AUTHORITYSYSTEM operations triggered by MSI repairs.”
Protect Towards Insider Threats: Grasp SaaS Safety Posture Administration
Fearful about insider threats? We have you coated! Be part of this webinar to discover sensible methods and the secrets and techniques of proactive safety with SaaS Safety Posture Administration.
The disclosure comes as Kaspersky shed extra gentle on a now-fixed, extreme privilege escalation flaw in Home windows (CVE-2023-23397, CVSS rating: 9.8) that has come underneath lively exploitation within the wild by risk actors utilizing a specifically crafted Outlook process, message or calendar occasion.
Whereas Microsoft disclosed beforehand that Russian nation-state teams weaponized the bug since April 2022, proof gathered by the antivirus vendor has revealed that real-world exploit makes an attempt have been carried out by an unknown attacker concentrating on authorities and important infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month previous to the general public disclosure.
