Atera Leaves Customers Vulnerable: Critical Flaws Found in Installer

A zero-day vulnerability has been discovered in the Windows-installers of ATERA software, which is used for remote monitoring and control. This vulnerability can be exploited by attackers to gain increased privileges. ATERA is a cloud platform that allows IT specialists to remotely manage computers and servers of their customers. The ATERA agent’s installer, which is installed on each device, connects the devices to the central server.

In February, researchers from Mandiant discovered that the ATERA agent’s installer contains two critical vulnerabilities, which enable arbitrary code execution with increased privileges. The developers were notified about these vulnerabilities and released two updates, ATERA 1.8.3.7 in April and ATERA 1.8.4.9 in June, to fix the vulnerabilities.

Last week, Mandiant released a detailed report, revealing the nature of the identified vulnerabilities. The first vulnerability (CVE-2023-26077) is related to the DLL-Biblio-Biblioteum loading function used by the ATERA agent’s installer. This vulnerability allows attackers to execute malicious code by replacing one of the installer’s libraries with their own code. The malicious code is executed with the highest privileges in Windows, on behalf of the system user NT Authority System.

The second vulnerability (CVE-2023-26078) is caused by the ATERA agent’s installer opening a Windows console window (control St.exe). Attackers can exploit this window to execute commands with increased privileges, also on behalf of the NT Authority System user.

“The ability to perform operations on behalf of NT Authority System poses potential security risks if not properly controlled,” said one of the Mandiant researchers. “For example, improperly configured special actions performed on behalf of NT Authority System can be exploited by attackers for privilege escalation.”

ATERA customers are advised to update their software to the latest version if they haven’t done so already.

This is not the first instance of vulnerabilities being discovered in Windows installers. Previously, Kaspersky reported similar cases.

/Reports, release notes, official announcements.