Zero-day vulnerability found in Atera RMM

In recent months, the digital landscape has witnessed an alarming rise in cyber threats, and the discovery of zero-day vulnerabilities has further escalated concerns. One such case involves the Atera remote monitoring and management software, where two zero-day vulnerabilities in its Windows installers were recently discovered. These vulnerabilities, if exploited, could allow attackers to launch privilege escalation attacks, gaining unauthorized access and executing arbitrary code with elevated privileges. In this blog post, we delve into the details of these vulnerabilities, their potential risks, and the measures taken to address them.

The Uncovered Vulnerabilities

On February 28, 2023, Mandiant, a renowned security firm, unearthed two zero-day vulnerabilities in Atera's Windows installers. The identified issues have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078. These vulnerabilities were located in the MSI installer's repair functionality, which inadvertently enabled operations to be triggered from the NT AUTHORITY\SYSTEM context, even if initiated by a standard user.

The Potential Risks

The ability to initiate operations from an NT AUTHORITY\SYSTEM context presents a significant security risk. If left unmanaged, misconfigured Custom Actions running under NT AUTHORITY\SYSTEM can be exploited by malicious actors to execute local privilege escalation attacks. This means that an attacker could potentially execute arbitrary code with elevated privileges, gaining extensive control over the targeted system.

CVE-2023-26077, one of the identified vulnerabilities, is susceptible to a local privilege escalation attack through DLL hijacking. This weakness could be abused to obtain a Command Prompt as the NT AUTHORITY\SYSTEM user, further granting unauthorized access to the system.

On the other hand, CVE-2023-26078 involves the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process, creating a command window. If executed with elevated privileges, this command window becomes vulnerable to exploitation, leading to a local privilege escalation attack.

Remediation Efforts

Thankfully, Atera took prompt action upon discovering these vulnerabilities and released two remediation versions, 1.8.3.7 and 1.8.4.9. The first version was launched on April 17, 2023, followed by the second on June 26, 2023. These updates effectively patch the vulnerabilities, ensuring that Atera users are protected from potential privilege escalation attacks.

The Bigger Picture

This disclosure comes in the wake of Kaspersky shedding light on another severe privilege escalation flaw in Windows (CVE-2023-23397), which has been actively exploited by threat actors using specially crafted Outlook tasks, messages, or calendar events. The involvement of nation-state groups targeting government and critical infrastructure entities in various countries demonstrates the seriousness of these cyber threats.

The discovery of zero-day vulnerabilities in Atera's Windows installers serves as a stark reminder of the persistent and evolving cyber threats that organizations and individuals face. Privilege escalation attacks can have catastrophic consequences, compromising data, systems, and potentially entire networks. It is crucial for software developers and users alike to remain vigilant, promptly apply security updates, and adopt robust cyber security measures to safeguard against such threats. As the digital landscape continues to evolve, a proactive approach to cyber security remains our strongest defense against cybercriminals seeking to exploit weaknesses in our systems and software.