The PowerShell Gallery is the central repository for PowerShell content, offering modules, scripts, and DSC resources. Users can share and collaborate on PowerShell resources, making it a hub for the community. It integrates with the PowerShell module management tool, allowing users to directly install, update, and manage modules and scripts. The platform promotes best practices and is maintained by Microsoft, ensuring a level of trust and quality.
Aqua security found several vulnerabilities that leave users and the environments that they manage vulnerable. The first vulnerability is lax name policy which allows malicious actors to upload repositories with malicious code with names that are like legitimate packages, which is often referred to as “typo-squatting”. Typo-squatting is a big problem on other code repositories such as NPM and PyPi.
The second vulnerability allows malicious actors to forge meta-data of modules that they upload enabling malicious to impersonate people who make legitimate software. This vulnerability allows a malicious actor to make a package look like it was authored by another person. The third vulnerability allows attackers to enumerate all package names and versions, including those that are unlisted. Unlisted packages may contain sensitive secrets and other sensitive information.
These three vulnerabilities pose a significant supply chain risk to anyone that is developing code with Powershell and should be on the lookout for misspelled package names.
Aqua has disclosed the issue twice to Microsoft with Microsoft claiming that they have fixed the issues but they are still reproducible at the time of publication.
The disclosure timeline as published on the Aqua Blog:
- 27 September 2022 – Aqua Research team reported flaws to MSRC.
- 20 October 2022 – MSRC confirmed the behavior we reported.
- 2 November 2022 – MSRC stated that the issue has been fixed (cannot provide details of product fixes in Online Services).
- 26 December 2022 – We reproduced the flaws (no prevention).
- 03 January 2023 – Aqua Research team reopened the report about flaws MSRC.
- 03 January 2023 – MSRC confirmed the behavior we reported.
- 10 January 2023 – MSRC marked the report as Resolved.
- 15 January 2023 – MSRC responded, “The engineering team is still working on fixing the Typosquatting and package detail spoofing. We currently have a short-term solution in place for new modules published to PSGallery”.
- 07 March 2023 – MSRC responded, “Reactive fixes have been put in place”.
- 16 August 2023 – Flaws are still reproducible.
