Microsoft fails to fix major PowerShell Gallery security flaws even after claiming it did

The security researcher team at AquaSec (Aqua Security) has published a report which highlights a series of major security vulnerabilities currently residing in Microsoft"s PowerShell Gallery. As the name suggests, the PowerShell Gallery or PSGallery is a repository that contains scripts, modules, and Desired State Configuration (DSC) resources.

AquaSec explains in its report that there are three major flaws in PSGallery, centered around deception and forgery. The surprising thing about the matter though is that Microsoft has apparently been aware of the issue for a very long time and has yet to implement any fix. AquaSec states:

Despite reporting the flaws to the Microsoft Security Response Center on two separate occasions, with confirmation of the reported behavior and claims of ongoing fixes, as of August 2023, the issues remain reproducible, indicating that no tangible changes have been implemented.

To give us a better idea of what it meant, AquaSec has also published the entire vulnerability disclosure timeline which suggests that the tech giant has been aware of the issue since September last year. In fact, in March 2023, Microsoft seemingly confirmed that "reactive fixes" were out.

Disclosure timeline

  • 27 September 2022 - Aqua Research team reported flaws to MSRC.
  • 20 October 2022 - MSRC confirmed the behavior we reported.
  • 2 November 2022 - MSRC stated that the issue has been fixed (cannot provide details of product fixes in Online Services).
  • 26 December 2022 - We reproduced the flaws (no prevention).
  • 03 January 2023 - Aqua Research team reopened the report about flaws MSRC.
  • 03 January 2023 - MSRC confirmed the behavior we reported.
  • 10 January 2023 - MSRC marked the report as Resolved.
  • 15 January 2023 - MSRC responded, "The engineering team is still working on fixing the Typosquatting and package detail spoofing. We currently have a short-term solution in place for new modules published to PSGallery".
  • 07 March 2023 - MSRC responded, "Reactive fixes have been put in place".
  • 16 August 2023 - Flaws are still reproducible.

Now coming to the security flaws themselves, AquaSec found that PowerShell Gallery packages were susceptible to typosquatting issues, which is, in essence, the exploitation of a mistype by a potential victim. The threat research team also found evidence of more spoofing via the forgery of module metadata. Finally, AquaSec also discovered that unlisted packages were also being exposed.

You can find all the technical details of each of the issues in this blog post titled "PowerHell" on AquaSec"s website.

Report a problem with article
Next Article

Apple's iOS 17 Developer Beta 6 brings many notable changes to the core UI

Previous Article

Microsoft is rolling out AI-generated summaries in the Microsoft Store