Aqua Nautilus has uncovered critical vulnerabilities persisting within the PowerShell Gallery, resulting in a fertile ground for malicious actors to exploit and launch attacks.
These vulnerabilities, described in an advisory published on Wednesday, pertain to naming policies, package ownership verification and exposure of unlisted modules. The PowerShell Gallery, an essential repository for PowerShell content, is extensively used for managing cloud resources across platforms like AWS and Azure.
The first flaw reveals a lax module naming policy, enabling typosquatting attacks that imitate popular packages. This opens the door to supply-chain breaches, allowing malevolent modules to be injected into unsuspecting users’ systems.
The second vulnerability involves the manipulation of package metadata, making malicious packages appear authentic by impersonating reputable entities like Microsoft.
The third flaw exposes unlisted packages and their sensitive data, endangering users who have inadvertently exposed confidential information.
Read more on PowerShell security: “PowerDrop” PowerShell Malware Targets US Aerospace Industry
“For years, we’ve seen malicious libraries and modules in Python and Node. This now brings the use of malicious code into shared projects with PowerShell,” commented John Bambenek, principal threat hunter at Netenrich. “Mitigation requires fanatical attention to detail in making sure developers are referencing packages precisely and getting exactly what they intend to do.”
Despite Aqua Nautilus reportedly notifying the Microsoft Security Response Center of these vulnerabilities and creating a proof of concept (POC) that exploits them, the issues remain unresolved, threatening the security of several users.
“We’re aware of this report and have determined that it relies on social engineering to be successful, however we’ve implemented some changes to help identify and remove these packages," a Microsoft's spokesperson told Infosecurity in an email. "We encourage users to report any packages they suspect are malicious via the 'Report' link on the package module. As always, we’ll continue to monitor for malicious activity and will take defense-in-depth measures to help keep customers protected."
Phil Neray, VP of cyber defense strategy at CardinalOps, commented: “This is a classic supply-chain challenge when using open source code [...] How do you know that you can trust it? Short of manually examining every line of code, the best approach is to enable granular logging across your cloud and on-premise infrastructure while implementing high-fidelity detections to quickly alert on suspicious or unauthorized behavior.”
As per these guidelines, DevOps and engineers who rely on PowerShell Gallery modules for cloud deployment are urged to exercise caution and consider adopting signed PowerShell module policies, using trusted private repositories and implementing robust monitoring systems.
Aqua Nautilus also emphasized that securing users primarily rests with platform operators, and these findings underscore the urgent need for enhanced security measures and unified standards across open-source registries.
UPDATE: This article was updated on 21/08/2023 to include Microsoft's comment.