The latest Cybersecurity Threat Advisory involves two zero-day vulnerabilities that were discovered in Atera RMM Windows installers. These two vulnerabilities are deemed critical and provide privilege escalation capabilities upon a successful exploitation. Barracuda MSP recommends updating to version 1.8.4.9 to remediate both vulnerabilities.
What is the threat?
The first vulnerability, CVE-2023-26077, is a privilege escalation vulnerability that can be exploited through DLL (Dynamic-Link Library) hijacking. This attack method manipulates how Windows applications manage DLL files on a device by substituting a malicious DLL in place of a legitimate DLL. A successful exploitation will provide an attacker escalated privileges and potentially open a command prompt as the NT AUTHORITY\SYSTEM user to execute arbitrary code. This vulnerability is currently exploited in the wild through building special Outlook tasks, messages, and calendar events.
The second zero-day vulnerability, CVE-2023-26078, involves system commands. Windows Console Host (conhost.exe) will open as a child process when a system command is executed. This command window if opened with elevated privileges, can be used to perform a local privilege escalation attack. These two flaws can be found in the Atera MSI installer’s repair functionality.
Why is it noteworthy?
Atera is a provider of RMM (Remote Monitoring and Management), as well as accompanying services targeted for IT departments and managed service providers (MSPs). As these vulnerabilities impact the MSI installers of their RMM solution, it can have significant impact, especially for lateral movement amongst an MSP’s customer base. These vulnerabilities are still awaiting analysis for a CVSS (Common Vulnerability Scoring System) score but are believed to be critical due to the nature of their threats. Action should be taken as soon as possible based on the severity and impact these vulnerabilities have.
What is the exposure or risk?
Upon a successful exploitation, these vulnerabilities can lead to arbitrary code execution, DoS (Denial-of-Service) attacks, information disclosure and much more. This compromise could affect system’s integrity, availability, and confidentiality, ultimately putting an entire network at risk for the affected organization. Atera has released patches for this collection of vulnerabilities.
What are the recommendations?
Barracuda MSP recommends the following actions to prevent and protect against this vulnerability:
- Upgrading Atera RMM to at least version 1.8.4.9 to remediate both vulnerabilities.
- Developers should review their custom actions on Atera to prevent hijacking privileged operations, including those executed by MSI repairs.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html
- https://socradar.io/zero-days-cve-2023-26077-cve-2023-26078-in-atera-windows-installers/#:~:text=Atera%20Windows%20Installers-,Zero%2DDays%20(CVE%2D2023%2D26077%2C%20CVE%2D,26078)%20in%20Atera%20Windows%20Installers&text=Recent%20revelations%20have%20exposed%20critical,to%20launch%20privilege%20escalation%20attacks.
- https://www.mandiant.com/resources/blog/abusing-dll-misconfigurations
- https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397/110202/
- https://nvd.nist.gov/vuln/detail/cve-2023-26078
- https://nvd.nist.gov/vuln/detail/cve-2023-26077
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.
