๎ ‚July 24, 2023๎ „THNMoreWindows security / zero-day

A zero-day vulnerability in the Windows installer of Atera remote monitoring and management software could act as a springboard to launch a privilege escalation attack.

The flaws discovered by Mandiant on February 28, 2023 were assigned the following identifiers: CVE-2023-26077 and CVE-2023-26078the issue was fixed in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023 and June 26, 2023 respectively.

“The ability to initiate operations from the NT AUTHORITY\SYSTEM context can pose a potential security risk if not properly managed,” said security researcher Andrew Oliveau. Said. “For example, if the settings are incorrect, custom action Running as NT AUTHORITY\SYSTEM could be exploited by an attacker to perform a local privilege escalation attack. “

Successful exploitation of such a vulnerability could open the way to arbitrary code execution with elevated privileges.

Both flaws exist in the repair functionality of the MSI installer and can lead to scenarios where the operation is triggered from the NT AUTHORITY\SYSTEM context even if the operation was initiated by a standard user.

According to a Google-owned threat intelligence firm, Atera Agent is susceptible to local privilege escalation attacks, which can be exploited. DLL hijack (CVE-2023-26077) It is possible to exploit this to get a command prompt as the NT AUTHORITY\SYSTEM user.

privilege escalation attack

CVE-2023-26078, on the other hand, involves “executing a system command that triggers the Windows Console Host (conhost.exe) as a child process,” which opens a “command window” that, “when run with elevated privileges, may allow an attacker to exploit this command window to perform local privilege escalation attacks.”

โ€œMisconfigured custom actions can be easily identified and exploited, and as a result can pose significant security risks to your organization,โ€ said Oliveau. “It is imperative that software developers thoroughly review their custom actions to prevent attackers from hijacking NT AUTHORITY\SYSTEM operations caused by MSI remediation.”

upcoming webinars

Shielding Against Insider Threats: Mastering SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.

join today

This disclosure was made as Kaspersky hut A critical privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) has been fixed to further expose the issue being exploited in the wild by threat actors using specially crafted Outlook tasks, messages or calendar events.

Microsoft previously disclosed that a Russian nation-state group had been weaponizing this bug since April 2022, but here’s evidence gathered by antivirus vendors: clearly The actual exploitation attempt was carried out by an unknown actor targeting governments and critical infrastructure organizations in Jordan, Poland, Romania, Turkey, and Ukraine a month prior to public disclosure.

Did you enjoy this article? Follow us twitter โ—‹ and LinkedIn To read more of the exclusive content we post.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ยฉ๏ธ All rights reserved. | Blue Training Academy Blog