Microsoft’s product PowerShell Gallery contains vulnerabilities that enable supply chain attacks, spoofing and typosquatting attacks. The vulnerabilities arose from the product’s lax naming policy for code repository.
PowerShell Gallery constitutes a hugely popular code hosting platform. The platform runs entirely online and is maintained by Microsoft. AquaSec researchers noted some laxity in the naming policy for code repository.
Users can upload packages with a name almost identical to an already available package. Hackers can abuse the policy to put malicious packages online that are almost indistinguishable in name from legitimate packages. This is, in effect, typosquatting.
The possibility of spoofing is another problem. Here, hackers take data such as the author’s name from legitimate projects to make their own malicious packages look legitimate. This causes problems for users who download the packages, as well as the person whose name is falsely given as the author. It is possible to check which account the packages were uploaded through, but that requires a user to go through the details while the author’s name is always shown.
Finally, the researchers saw that it is possible to access unshared packages. “This uncontrolled access allows malicious actors to search for potentially sensitive information within unlisted packages,” the researchers warn.
Microsoft takes no action
AquaSec notified Microsoft of the findings about a year ago. The owner of PowerShell Gallery acknowledges that it received all the reports but took no further action.
This is more often the state of affairs at Microsoft. The company has been publicly criticized for it but seems to care little. Perhaps an official investigation by CISA, following the Chinese e-mail hack for which Microsoft may be partly to blame, could change that.
Until Microsoft changes its mind, the researchers offer some tips for using PowerShell Gallery safely. One piece of advice is to adopt a policy in which only signed scripts are allowed to run. Another piece of advice is to run the required repository in a secure, private environment and not on Microsoft’s online platform. Then you will profit from regularly checking that there is no sensitive data in the source code. Finally, it’s best to scan for suspicious behaviour in your company’s cloud environments.