Microsoft announced that it has notified system administrators to patch PowerShell 7 for two vulnerabilities that allow attackers to bypass Windows Defender Application Control (WDAC) and access plain text credentials. The company announced that it has notified system administrators to patch PowerShell 7 for two vulnerabilities that allow access to plain text credentials to bypass Windows Defender Application Control (WDAC).
PowerShell is a cross-platform solution that provides a command line shell, a framework, and a scripting language dedicated to automating the processing of PowerShell cmdlets.
Microsoft released PowerShell 7.0.8 and PowerShell 7.1.5 in September and October to address these security flaws in PowerShell 7 and PowerShell 7.1 versions.
Password Leakage and WDAC Bypass
WDAC is intended to protect Windows devices from potentially malicious software and is a feature that stops malware and unwanted software from launching by ensuring that only trusted apps and drivers are allowed to run
When the software-based WDAC security layer is enabled in Windows, PowerShell will automatically go into constraint language mode, restricting access to only a limited set of Windows APIs.
A security feature bypass vulnerability in Windows Defender Application Control (CVE-2020-0951) can be exploited to bypass the WDAC allow list and execute PowerShell commands that would otherwise be blocked if WDAC is enabled. commands that are blocked when WDAC is enabled.
https:// msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0951
To exploit this vulnerability, an attacker must have administrative privileges on the local machine where PowerShell is running. The attacker can connect to the PowerShell session and send commands to execute arbitrary code
The second vulnerability, tracked as CVE-2021-41355, is an information disclosure vulnerability in .NET Core that can leak credentials in plaintext on devices running platforms other than Windows.
https:// msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41355
An information disclosure vulnerability exists in .NET that allows System. LdapConnection could send authentication information in plain text on non-Windows operating systems
How to check if you are affected
CVE-2020-0951 is present in both PowerShell 7 and PowerShell 7.1 versions, while CVE-2021-41355 only affects PowerShell 7.1 users.
To check the version of PowerShell you are running and determine if you are vulnerable to an attack exploiting these two bugs, run the pwsh -v command from a command prompt.
According to Microsoft, there are currently no mitigations in place to stop the exploitation of these security flaws.
It is recommended that administrators install the updated PowerShell 7.0.8 and 7.1.5 versions as soon as possible to protect their systems from attacks.
System administrators are advised to update PowerShell 7 to an unaffected version
In July, Microsoft warned of another high severity .NET Core remote code execution vulnerability in PowerShell 7.
Comments