Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials.
PowerShell is a cross-platform solution that provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets.
Redmond released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security flaws in the PowerShell 7 and PowerShell 7.1 branches in September and October.
Leaked passwords and WDAC bypass
WDAC is designed to protect Windows devices against potentially malicious software by ensuring that only trusted apps and drivers can run, thus blocking malware and unwanted software from launching.
When the software-based WDAC security layer is enabled in Windows, PowerShell automatically goes into constrained language mode, restricting access to only a limited set of Windows APIs.
By exploiting the Windows Defender Application Control security feature bypass vulnerability tracked as CVE-2020-0951, threat actors can circumvent WDAC's allowlist, which allows them to execute PowerShell commands that would otherwise be blocked when WDAC is enabled.
"To exploit the vulnerability, an attacker need administrator access on a local machine where PowerShell is running. The attacker could then connect to a PowerShell session and send commands to execute arbitrary code," Microsoft explains.
The second flaw, tracked as CVE-2021-41355, is an information disclosure vulnerability in .NET Core where credentials could be leaked in clear text on devices running non-Windows platforms.
"An Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on non-Windows Operating systems," Microsoft said.
How to tell if you are affected
The CVE-2020-0951 vulnerability affects both PowerShell 7 and PowerShell 7.1 versions, while CVE-2021-41355 only impacts users of PowerShell 7.1.
To check the PowerShell version you are running and determine if you are vulnerable to attacks exploiting these two bugs, you can execute the pwsh -v
command from a Command Prompt.
Microsoft says no mitigation measures are currently available to block the exploitation of these security flaws.
Admins are advised to install the updated PowerShell 7.0.8 and 7.1.5 versions as soon as possible to protect systems from potential attacks.
"System administrators are advised to update PowerShell 7 to an unaffected version," Microsoft added. Details on what PowerShell versions are affected and the fixed versions can be found here and here.
In July, Microsoft warned of another high severity .NET Core remote code execution vulnerability in PowerShell 7.
Microsoft recently announced that it would be making it easier to update PowerShell for Windows 10 and Windows Server customers by releasing future updates via the Microsoft Update service.
Comments
edmoncu - 2 years ago
it just says : 'pwsh' is not recognized as an internal or external command,
operable program or batch file.
serghei - 2 years ago
I think you have a preview version of PowerShell.
You can find a solution to your problem at https://github.com/PowerShell/PowerShell/issues/11269#issuecomment-562337509
U_Swimf - 2 years ago
Typical Microsoft : " Update minions!"
Term window: update FAILED
geogherkins - 2 years ago
There is no "pwsh" command in older versions of PowerShell, which is what the error message means. So, if you get "not recognized as an internal command" you are safely not using v7 of PowerShell.
For example, use "$PSVersionTable" (from a PowerShell prompt) to display the version of PowerShell on a Windows 10 computer that has not had PowerShell 7 installed:
PS C:\> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.18362.1801
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.1801
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
serghei - 2 years ago
Not saying you're not also right, but that error is also displayed for preview versions of PowerShell.
Just go through the issue I linked above and you'll see what I mean.