Critical Flaws in PowerShell Gallery Enable Malicious Exploits – Source: www.infosecurity-magazine.com

Aqua Nautilus has uncovered critical vulnerabilities persisting within the PowerShell Gallery, resulting in a fertile ground for malicious actors to exploit and launch attacks. 

These vulnerabilities, described in an advisory published on Wednesday, pertain to naming policies, package ownership verification and exposure of unlisted modules. The PowerShell Gallery, an essential repository for PowerShell content, is extensively used for managing cloud resources across platforms like AWS and Azure.

The first flaw reveals a lax module naming policy, enabling typosquatting attacks that imitate popular packages. This opens the door to supply-chain breaches, allowing malevolent modules to be injected into unsuspecting users’ systems. 

The second vulnerability involves the manipulation of package metadata, making malicious packages appear authentic by impersonating reputable entities like Microsoft. 

The third flaw exposes unlisted packages and their sensitive data, endangering users who have inadvertently exposed confidential information.

Read more on PowerShell security: “PowerDrop” PowerShell Malware Targets US Aerospace Industry

“For years, we’ve seen malicious libraries and modules in Python and Node. This now brings the use of malicious code into shared projects with PowerShell,” commented John Bambenek, principal threat hunter at Netenrich. “Mitigation requires fanatical attention to detail in making sure developers are referencing packages precisely and getting exactly what they intend to do.”

Despite Aqua Nautilus reportedly notifying the Microsoft Security Response Center of these vulnerabilities and creating a proof of concept (POC) that exploits them, the issues remain unresolved, threatening the security of several users.

Infosecurity has contacted Microsoft regarding these vulnerabilities, but as of the time of publishing, a response has not been received.

“This is a classic supply-chain challenge when using open source code […] How do you know that you can trust it?” Highlighted Phil Neray, vice president of cyber defense strategy at CardinalOps. “Short of manually examining every line of code, the best approach is to enable granular logging across your cloud and on-premise infrastructure while implementing high-fidelity detections to quickly alert on suspicious or unauthorized behavior.”

As per these guidelines, DevOps and engineers who rely on PowerShell Gallery modules for cloud deployment are urged to exercise caution and consider adopting signed PowerShell module policies, using trusted private repositories and implementing robust monitoring systems. 

Aqua Nautilus also emphasized that securing users primarily rests with platform operators, and these findings underscore the urgent need for enhanced security measures and unified standards across open-source registries.