Skip to content

Search the site

PowerShell hit with fresh set of vulnerability disclosures

Researchers with AquaSecurity say PowerShell Gallery is open to a series of lookalike module attacks

A set of vulnerabilities in PowerShell are said to be putting enterprises at risk of catastrophic network breach.

The team at AquaSecurity says a trio of flaws dubbed 'PowerHell' would potentially pose the risk of everything from one-time breaches to full supply-chain attacks if exploited.

The vulnerabilities lie within PowerShell Gallery, the service that handles scripted modules that can be used with PowerShell to integrate with other applications and services such as hypervisors or cloud platforms.

The AquaSecurity researchers found that there are a number of ways in which attackers could sidestep PowerShell Gallery's security protections in order to slip malicious packages onto the service under the guise of known, legitimate modules.

"Despite reporting the flaws to the Microsoft Security Response Center on two separate occasions, with confirmation of the reported behavior and claims of ongoing fixes, as of August 2023, the issues remain reproducible, indicating that no tangible changes have been implemented," note AquaSecurity researchers Mor Weinberger, Yakir Kadkoda, and Ilay Goldman.

The vulnerabilities have not been designated CVE entries, which makes sense as they describe general security failings rather than any specific bug or error condition.

In general, the team found a number of ways in which an attacker would be able to bundle malicious code into a module and then present it on the PowerShell Gallery as a lookalike to a known, legitimate module.

In the first condition, the team says that an attacker could perform a classic lookalike character attack. They say that because of lax naming policies, the conventional structure of "Az.<package_name>" is not mandatory and an attacker could simply delete a period to present their malicious payload as "Az<package_name>" or vice-versa.

In the second case, the researchers discovered that PowerShell Gallery does not properly check metadata entries. This would potentially allow a threat actor to forge key fields such as the author name. This, again would be extremely useful in creating lookalike modules that would trick users to plugging malicious code into their projects.

The third issue is the most subtle of the three. According to the AquaSecurity team, PowerShell Gallery does not properly hide unlisted modules from users. As a result, it would be possible for a remote attacker to ennumerate the various unlisted modules a target is using.

This would make a potential lookalike attack far more effective, as the user would have more trust in a module they thought was secret.

To help guard against attack, the AquaSecurity researchers recommend that companies enforce a signed PowerShell module policy and direct developers and administrators towards a trusted private repository.

"As we increasingly depend on open-source projects and registries, the security risks associated with them become more prominent. It's crucial that flaws, like those highlighted in this blog, are addressed promptly," the researchers said.

"We urge all users to exercise caution when downloading modules/scripts from registries like the PowerShell Gallery."