Malicious actors could exploit existing vulnerabilities within the PowerShell Gallery to execute supply chain attacks targeting users of the registry.
“Aqua security researchers, including Mor Weinberger, Yakir Kadkoda, and Ilay Goldman, conveyed in a report to The Hacker News that these vulnerabilities lead to unavoidable typosquatting attacks in the registry and complicate users’ ability to discern package ownership.”
Vulnerabilities in PowerShell Gallery Enabling Supply Chain Attacks
Managed by Microsoft, PowerShell Gallery is a primary hub for distributing and obtaining PowerShell code, encompassing modules, scripts, and Desired State Configuration (DSC) resources. The registry hosts 11,829 unique packages and a total of 244,615 packages.
The cloud security company pinpointed concerns linked to the registry’s lenient package naming policy, which lacks safeguards against typosquatting attacks. This oversight empowers attackers to upload deceptive malicious PowerShell modules, fooling unsuspecting users.
Another issue involves a malicious individual being able to manipulate a module’s metadata, such as Author(s), Copyright, and Description fields. This manipulation makes the module seem more genuine, tricking unsuspecting users into installing it.
The researchers mentioned that users can only confirm the true author/owner by accessing the “Package Details” tab.
However, this leads only to the false author’s profile since attackers can freely choose any name while making a user on the PowerShell Gallery. Hence, identifying the true author of a PowerShell module in the PowerShell Gallery is challenging.
Another issue is a third vulnerability, exploitable by attackers to list all package names and versions, even those meant to be private. This exploit employs the PowerShell API “https://www.powershellgallery.com/api/v2/Packages?$skip=number,” granting unrestricted access to the entire PowerShell package database, along with its versions.
Aqua notified Microsoft about the issues in September 2022. Microsoft supposedly implemented reactive fixes by March 7, 2023. However, the problems can still be replicated.
The researchers emphasized, “As we rely more on open-source projects and registries, security risks become more noticeable.”
“The main responsibility for user security rests with the platform. It’s crucial for PowerShell Gallery and similar platforms to bolster their security measures.”