card

Microsoft fails to fix major PowerShell Gallery security flaws even after claiming it did

30.08.2023
396

Critical security concerns have come to light regarding the PowerShell Gallery – an online hub for sharing PowerShell code modules. These vulnerabilities could potentially grant unauthorised access to cybercriminals, allowing them to introduce harmful packages into the repository. This opens the door to risks like typosquatting, where attackers exploit similar package names, and supply chain attacks, compromising the integrity of the shared code.

Notably, security researchers from Aqua Nautilus brought these issues to Microsoft's attention nearly a year ago. Microsoft had claimed to address these vulnerabilities in both February 2022 and January 2023. However, recent findings reveal that the problems persist despite these assurances.

The PowerShell Gallery serves as a prominent repository for scripts, PowerShell code modules, and state configuration resources. Its user base includes reputable entities like Microsoft, VMware, and AWS, alongside contributions from the wider community. With a download count exceeding 10 billion packages to date, the significance of these flaws becomes all the more pronounced.

Aqua's researchers discovered a susceptibility within the PowerShell Gallery that exposes users to typosquatting attacks. This tactic, driven by social engineering, enables hackers to deceive users into downloading harmful PowerShell modules from public repositories. By mimicking legitimate package names, malicious actors can exploit the trust users place in established entities.

Furthermore, another security flaw was unveiled by Aqua, this time concerning the landing pages for PowerShell modules. This vulnerability permits a malicious actor to upload a package containing fraudulent information, including fabricated author details, copyright notices, and descriptions. Optimum security starts by guiding your network with a VPN service.

Aqua elaborated on this issue: "The PowerShell Gallery allows an attacker to freely assign any name while creating a user. Consequently, determining the actual authorship of a PowerShell module in the Gallery presents a formidable challenge".

Lastly, a third vulnerability exposes a pathway for threat actors to access concealed or unlisted packages. Exploiting this vulnerability could enable cybercriminals to pilfer sensitive data linked to these modules, with potential motives extending to espionage activities. Get Hide Expert VPN and enjoy optimised immunity against data snooping.

At present, there is no evidence suggesting that these security flaws have been exploited to compromise the PowerShell Gallery. Nevertheless, exercising caution when utilising the PowerShell Gallery is advised until Microsoft releases a comprehensive remedy for these vulnerabilities.