PowerHell: Attention, unfixed vulnerabilities in the PowerShell gallery

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers from Aqua Security came across several vulnerabilities in Microsoft's PowerShell gallery some time ago. The vulnerabilities were then reported to Redmond, where unsuccessful attempts were made to fix the bugs with patches. Now the security researchers have gone public with a report about this a few days ago to warn about these vulnerabilities.


What is the PowerShell Gallery

The PowerShell Gallery is the central repository for PowerShell content. Administrators can find PowerShell scripts in it, as well as modules that contain PowerShell cmdlets and Desired State Configuration (DSC) resources. Some of these packages were created by Microsoft, while others come from the PowerShell community.

The module PowerShellGet contains cmdlets to get, install, update, and publish PowerShell packages from the PowerShell Gallery. These packages can contain artifacts such as modules, DSC resources, role capabilities, and scripts. To do this, the latest version of PowerShellGet should be installed. The documentation of PowerShellGet and PowerShell Gallery can be found here.

Vulnerabilities unfixed for months

PowerShell Gallery modules are commonly used as part of the cloud deployment process, especially popular on AWS and Azure, to interact with and manage cloud resources. Therefore, the installation of a malicious module could be fatal for enterprises. And this is exactly the issue, which has been disclosed by security researchers. I became aware of the issue through various media, which is addressed by Aqua Security in the following tweet under the term "PowerHell" and documented in the blog post PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks.

Multiple vulnerabilities

The post states that significant flaws have been uncovered by Aqua Nautilus that are still active in the PowerShell Gallery policy related to package names and owners. These vulnerabilities allow so-called typo squatting attacks in this registry of packages (i.e. slight changes to package names). This makes it difficult for users to identify the true owner of a package. As a result, these vulnerabilities pave the way for potential supply chain attacks.


In addition, attackers can exploit a second vulnerability. This one allows to discover unlisted packages and expose deleted (confidential information) in the PowerShell Gallery registry. This mechanism is used when users want to hide their modules by not listing their packages. A third vulnerability allows fake module metadata to be set in the PowerShell Gallery. Details can be read in the linked article.

Proof of Concept developed

These findings enabled the security researchers to create a proof of concept (POC) and then imitate popular Microsoft PowerShell modules with their own tampered code. These fake modules were then downloaded millions of times from the PowerShell Gallery across a range of cloud services by various organizations.

Vulnerabilities unpatched by Microsoft

The security researchers have of course reported the found vulnerabilities to Microsoft. Microsoft has confirmed the reported behavior regarding the vulnerabilities and even promised to fix them. Now the security researchers write: Although the vulnerabilities were reported to the Microsoft Security Response Center on two different occasions, the problems are still reproducible until August 2023. According to the security researchers, this indicates that no concrete or sufficient changes have been made by Microsoft.

This reads to me like the case of the months of unpatched Azure vulnerabilities I discussed in the blog post Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2. This was then promptly closed in August 2023 after public criticism.

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services

Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *