There are growing concerns about potential weaknesses within the PowerShell Gallery, which could provide an open door for threat actors to execute supply chain attacks. These potential breaches not only make typosquatting attacks a serious risk, but also make it tricky for users to verify the authenticity of a package. Aqua Security's dedicated research trio, Mor Weinberger, Yakir Kadkoda, and Ilay Goldman recently brought these issues to light during an investigation which they later discussed with The Hacker News.
PowerShell Gallery is a critical cog in Microsoft's infrastructure, serving as a consolidated hub for acquiring and exchanging PowerShell code, a repository that holds an impressive 11,829 distinctive packages and an overall total of 244,615 packages. This service, however, is under scrutiny due to its laidback policies relating to package names, putting its security at risk.
The researchers pinpointed two key areas of vulnerability. First, the lack of protective measures against typosquatting attacks. This gap in cybersecurity means that attackers could easily upload harmful PowerShell modules, which are then mistaken to be authentic by unaware users. Second, user metadata can be tampered with, leading users to believe that a module, equipped with bogus Author(s), Copyright, and Description fields, is legitimate.
Unfortunately, identifying the actual author of a PowerShell module proves to be a complex task as the researchers explain, "The only way for users to determine the real author/owner is to open the 'Package Details' tab. However, this will only lead them to the profile of the fake author, as the attacker can freely choose any name when creating a user in the PowerShell Gallery."
On top of these significant flaws, a third vulnerability was identified by these cybersecurity detectives. An attacker could abuse this flaw to enumerate package names and versions, even those that are unlisted and intentionally hidden from the public. By exploiting the PowerShell API, a potential threat could get their hands on the entire PowerShell package database, including all associated versions.
The trio describes the implications, "This uncontrolled access provides malicious actors with the ability to search for potential sensitive information within unlisted packages. Consequently, any unlisted package that contains confidential data becomes highly susceptible to compromise."Aqua Security alerted Microsoft to these vulnerabilities in September 2022. As of March 7, 2023, Microsoft reportedly deployed reactive fixes. However, the issues are still reproduceable.
This case underscores the escalating security risks that come hand in hand with our burgeoning dependence on open-source projects and registries. The researchers emphasized, "The responsibility for securing users primarily lies with the platform. It's essential that PowerShell Gallery, and similar platforms, take necessary steps to enhance their security measures."
At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.