Critical Zero Day vulnerabilities in Atera Windows Installers can facilitate Privilege Escalation Attacks

Zero-day vulnerabilities were discovered and reported in the Windows Installers for Atera's remote monitoring and management software.

The issues reside in the MSI installer's repair functionality, which may trigger operations from an NT AUTHORITY\SYSTEM context, even if initiated by a standard user. As a result, attackers could exploit the flaws to execute local privilege escalation attacks

The flaws could lead to privilege escalation attacks, allowing attackers to execute arbitrary code with elevated privileges. The flawa are tracked as

• CVE-2023-26077 is a flaw in the Atera Agent - Atera Agent through 1.8.3.6 on Windows Creates a Temporary File in a Directory with Insecure Permissions and is susceptible to a local privilege escalation attack via DLL hijacking, allowing the attacker to obtain a Command Prompt as the NT AUTHORITY\SYSTEM user.
• CVE-2023-26078 a privilege escalation vulnerability in Atera Agent 1.8.4.4 and prior on Windows due to mishandling of privileged APIs. It involves the execution of system commands that trigger the Windows Console Host, creating a command window that, when executed with elevated privileges, can be exploited for a local privilege escalation attack.

Separately detected, the Atera Agent is susceptible to another vulnerability

• CVE-2023-23397 - another severe privilege escalation flaw has been weaponized and actively exploited by threat actors since April 2022, targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine.

The vulnerabilities have  been patched by Atera in versions 1.8.3.7 and 1.8.4.9 released on April 17, 2023, and June 26, 2023, respectively.