Abusing Windows software is the most common thing. However, the sad news is letting attackers abuse is also very common. Most likely this happens due to several reasons, some of them are lack of knowledge, poor security practices, ignoring security standers, and anything that gives a way for attackers to compromise. We will talk about one such instance in this post. Mandiant discovered two critical 0-day vulnerabilities in Atera Windows installer applications.
The vulnerabilities are given the identifiers CVE-2023-26077 and CVE-2023-26078, however their CVSS scores are not determined during the publish of this post. The first flaw could allow the attackers to execute arbitrary code execution as SYSTEM during the repair operation. The second flaw allows attackers to escalate privilege by spawning a command prompt window that further enables the attacker to perform tasks like opening a browser or file explorer with SYSTEM privileges.
Considering its impact, prevalence, and ease of exploitation, it is highly recommended to address these vulnerabilities. We published this post to discuss the impact caused by such third-party installers on Windows. Let’s see how to fix CVE-2023-26077(8), two critical 0-day vulnerabilities in Atera Windows installers. If you are interested to know how to fix these 0-Day vulnerabilities in Atera Windows installers, you can directly jump into the last section. Or, if you really know some technical details like how and what causes the vulnerability, please don’t skip anything. We will give you the complete information and background about these flaws.
Let’s begin this technical post by understanding arbitrary and remote code execution, privilege escalation attacks, MSI files in Windows, DLL libraries, and custom actions.
What are DLL libraries And What is DLL hijacking?
Dynamic link libraries (DLLs) are reusable code libraries in Windows. Instead of having large applications with all their code bundled together, functionality can be split out into separate DLL files. The DLLs contain compiled code to perform common functions that many programs can share. For example, the C runtime library DLL provides functions for input/output and string manipulation.
When a program needs to use a DLL, it loads the library into memory and can call the code inside it. The DLL code executes within the program’s process. Using DLLs makes each application smaller since the common code is centralized. Updates to DLLs propagate across all programs using them. But DLLs also introduce security risks.
One risk is DLL hijacking. This attack method exploits how applications load DLLs. Many applications will automatically load DLLs from certain folders without verifying them. An attacker can place a malicious DLL with the same name in these folders. When the application loads the DLL, it gets the malicious code instead of the real library.
The hijacked DLL runs inside the application, so it has access to the same memory and resources. It could steal data, capture credentials, or allow full remote access. DLL hijacking depends on applications not properly securing DLL loading. Defenses include secured paths, signing DLLs, validating DLLs before use, permissions to prevent DLL replacement, and patching vulnerable load mechanisms.
What are MSI Files And What Happens When MSI Files are Installed or Repaired?
MSI files are installation packages for Windows software created according to the Microsoft Installer standard. They contain all the necessary information for installing, maintaining, and removing an application cleanly. MSI files are essentially databases with tables holding details like file locations, registry data, shortcuts, and dependencies. This standardized format makes them easy to work with programmatically.
When running an MSI file, the Windows Installer engine reads the database tables to guide the installation. It copies files to destinations, makes registry edits, creates shortcuts, and more based on the package contents. MSI files also allow developer-defined Custom Actions which run custom code at set times in the install process. These can execute specialized tasks needed for the specific application.
Once installed, Windows caches MSI files in the
C:\Windows\Installer folder using randomized names ending in “.msi”. Caching allows standard users to utilize the repair feature which fixes issues like missing components, broken shortcuts, or registry problems. Repair is intended to restore installations to a proper working state.
During repairs, certain file or registry operations may execute from an elevated
NT AUTHORITY\SYSTEM context, even when started by a standard user. This allows repairs to fully correct issues requiring higher privileges. However, it introduces potential risks if malicious commands can be inserted into a trusted MSI file through compromised developer access or supply chain attacks. Careful permissions and signing of MSI files help mitigate these risks. Overall, the standardized MSI format provides a flexible and manageable way to deploy Windows software.
Understanding the Two Critical 0-Day Vulnerabilities in Atera Windows Installers
Now, it’s time to understand the recently discovered 0-day vulnerabilities in the Atera Agent software that allows attackers to perform arbitrary code execution and privilege escalation attacks on the Windows Operating System running vulnerable versions of Atera RMM Agent software.
The issue would be when Windows Installer allows standard users to repair installed software, but some of these repair operations can run with
NT AUTHORITY\SYSTEMprivileges. If the repair functionality is misconfigured, it can allow attackers to exploit this to gain elevated privileges on the system.
Mandiant discovered two 0-day vulnerabilities in the Windows version of Atera Agent, they are:
- CVE-2023-26077: Allows DLL hijacking in a folder writable by standard users, enabling arbitrary code execution as SYSTEM during repairs.
- CVE-2023-26078: Repair operations spawn a command prompt window briefly, which can be hijacked to open a browser or file explorer as SYSTEM.
- Mandiant said in its report, these were reported to Atera in February 2023 and fixed in later releases in April and June. Let’s see each one of them in detail.
CVE-2023-26077 is a privilege escalation vulnerability discovered in versions of Atera Agent for Windows prior to 188.8.131.52. This flaw exists due to insecure permissions on folders used during the Windows Installer (MSI) repair process. Specifically, the Atera Agent MSI installer creates a temporary folder at C:\Windows\Temp\AteraUpgradeAgentPackage that is writable by standard users due to inherited permissions from C:\Windows\Temp.
Process attempting to load missing DLLs (Source: Mandiant)
When the repair feature is initiated, even by a standard user, it executes AgentPackageUpgradeAgent.exe from this folder with SYSTEM privileges. The process also attempts to load DLLs from the same temporary folder. An attacker can exploit this by placing a malicious DLL in the folder, having it loaded when repairs run, and executing arbitrary code as SYSTEM.
AteraUpgradeAgentPackage folder permissions (Source: Mandiant)
This is a classic example of “DLL hijacking” during privileged operations that trust folders writable by unprivileged users. The impact is a full compromise of the system since the hijacked process runs with the highest SYSTEM privileges. Attackers with limited user access to a system could gain complete control by triggering the repair and hijacking the DLL load.
While no CVSS score is available yet, this is likely to be rated Critical severity due to the total compromise of system integrity. Atera has addressed the issue by hardening permissions on the AteraUpgradeAgentPackage folder to prevent writes by standard users. Software developers must be extremely careful to not inadvertently trust standard user folders when performing privileged operations like system repairs. Proper access controls and the signing of binaries would have mitigated this flaw.
Overall, CVE-2023-26077 is a high-risk privilege escalation vulnerability allowing DLL hijacking during repairs. Atera has fixed it by hardening folder permissions. But it emphasizes the need for secure design when privileged operations interact with standard user contexts.
CVE-2023-26078 is a privilege escalation vulnerability in Atera Agent prior to version 184.108.40.206 on Windows due to improper handling of privileged APIs during the MSI repair process. Though technical details are limited, it appears that repair operations spawn a Windows command prompt window (conhost.exe) when executing system utilities like net.exe.
Opening hyperlinks with the web browser of choice (Source: Mandiant)
This console window runs with SYSTEM privileges but can be accessed briefly by an unprivileged user triggering the repair. By quickly highlighting text in the window, an attacker can pause the execution and interact with the privileged command prompt. From there, it is possible to open a web browser process as SYSTEM and further escalate access.
Opening Command Prompt through web browser (Source: Mandiant)
This attack takes advantage of the system automatically attaching a console window to processes needing user interaction. If that privileged process can be frozen, it allows unprivileged users to gain control and leverage the elevated access. The impact is a full compromise of the system’s integrity similar to CVE-2023-26077.
While a CVSS score is unavailable, this vulnerability also likely warrants a Critical severity rating. Atera has addressed it by modifying the repair actions to use silent utilities that don’t require a console window. Software developers must be very careful about spawning interactive processes from low-privilege contexts, even if brief.
Overall, CVE-2023-26078 enables privilege escalation by pausing a SYSTEM command prompt spawned during repairs. Quick user interaction allows hijacking the privileged process. Atera fixed it by spawning silent processes without a writable console. But like the related DLL hijacking flaw, it highlights the need to design installer repairs securely to prevent unintentional elevation.
MSI Search: A Tool by Mandiant to Identify the Cached MSI Files
There is a practical challenge in determining which randomized MSI files in C:\Windows\Installer correspond to specific software products. When MSI installers run, they extract files to this folder using randomized filenames like “HJEUICD.msi”. his caching allows users to complete their tasks, but identifying files requires guesswork, which is practically not possible.
Mandiant’s red team faced this problem during the analysis of these two critical 0-day vulnerabilities in Atera Windows Installers too. Analysis requires the original MSI file, which is non-trivial to locate in C:\Windows\Installer. The folder can contain hundreds of extracted installers without file names indicating the associated software.
To simplify this process, Mandiant developers created the msi_search tool. It leverages the Windows Installer API to extract relevant metadata like product names, versions, and vendors from cached MSI files. By reading this metadata rather than guessing based on random filenames, msi_search outputs a list pinpointing which files match specified software. This significantly reduces the time spent harvesting installers from target systems.
How to Fix CVE-2023-26077(8)- Two Critical 0-Day Vulnerabilities in Atera Windows Installers?
Atera recently fixed two critical privilege escalation vulnerabilities in their Windows installers. The vendor said it has fixed the CVE-2023-26077 vulnerability in version 220.127.116.11 and fixed the CVE-2023-26078 vulnerability in version 18.104.22.168. It is recommended to update the Atera Agents to versions equal to or greater than 22.214.171.124 & 126.96.36.199.
Refer to these processes to upgrade the Atera Agent on your Windows machines.
Agent Installation or Upgradation Instructions
- Install an agent on a Windows OS device
- Install an agent via the Command Prompt
- Install an agent on a Mac OS device
- Install an agent on a Linux device
- Install an Atera agent via the customer’s page
If you experience any trouble with agent installation or stability, see:
Please contact the Vendor support team for clear instructions.
Additionally, follow the below mentioned Vendor recommendations with some general guidelines to fix CVE-2023-26077(8), the two critical 0-Day vulnerabilities in Atera Agent Software.
- Review custom actions in MSI installers to prevent privilege escalation attacks. Actions that run executables, load DLLs, or spawn processes from standard user-writable folders are risky.
- Standard users have default write access to folders like C:\Windows\Temp, C:\ProgramData, and subfolders. Custom actions should not trust these folders for privileged operations.
- Use C:\Program Files which requires admin access instead of standard user folders for safer custom action behavior.
- Monitor for Windows Event ID 11728 which tracks non-admin MSI repairs. Investigate suspicious patterns actively.
- Sign all binaries executed during installations and validate dependencies loaded to prevent untrusted code execution.
- Use background processes instead of interactive shells when possible to avoid UI hijacking risks.
- Drop privileges immediately after elevation rather than retaining the high access longer than necessary.
- Adopt secure coding practices around custom actions to avoid introducing vulnerabilities.
- Prioritize remediation of identified privilege escalation risks in installers to protect users.