News

Active flaws in the PowerShell Gallery have the potential to be exploited by threat actors to carry out supply chain attacks against users of the registry. Maintained by Microsoft, the PowerShell Gallery serves as a central repository for sharing and acquiring PowerShell code, including modules, scripts, and Desired State Configuration (DSC) resources. With a total of 11,829 unique packages and 244,615 packages in total, the registry has been found to have vulnerabilities that make it susceptible to typosquatting attacks.

According to Aqua security researchers, the flaws in the PowerShell Gallery lie in its policy surrounding package names, which lacks protections against typosquatting attacks. This allows attackers to upload malicious PowerShell modules that appear genuine to unsuspecting users. Additionally, bad actors have the ability to spoof module metadata, including authorship, copyright, and description, making the modules seem more legitimate. Determining the true author of a PowerShell module in the gallery is particularly challenging due to the ability of attackers to create fake user profiles with any name of their choosing.

Another vulnerability discovered is that attackers can use PowerShell API to enumerate all package names and versions, including those that are meant to be hidden from public view. This unrestricted access provides opportunities for malicious actors to search for sensitive information in unlisted packages, compromising any confidential data they may contain.

These shortcomings were reported to Microsoft by Aqua in September 2022, and while reactive fixes were implemented by March 7, 2023, the problems are still reproducible. As reliance on open-source projects and registries increases, the security risks associated with them become more prominent. The researchers emphasize the responsibility of platforms like PowerShell Gallery to take necessary steps to enhance their security measures and protect users from such supply chain attacks.

The post Active Flaws in PowerShell Gallery Pose Supply Chain Attack Risks appeared first on satProviders.