Microsoft asks admins to fix PowerShell to fix WDAC bypass
Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities that allow attackers to bypass Windows Defender Application Control (WDAC) applications and access credentials in plain text.
PowerShell is a cross-platform solution that provides a command line shell, framework, and scripting language focused on automating the processing of PowerShell cmdlets.
Redmond released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security holes in the PowerShell 7 and PowerShell 7.1 branches in September and October.
Password Leak and WDAC Bypass
WDAC is designed to protect Windows devices from potentially malicious software by ensuring that only trusted applications and drivers can run, thereby blocking the launch of malicious and unwanted software.
When the WDAC software security layer is enabled in Windows, PowerShell automatically switches to constrained language mode, restricting access to a limited set of Windows APIs.
By exploiting the Windows Defender Application Control security feature bypass vulnerability tracked as CVE-2020-0951, malicious actors can bypass the WDAC authorization list, allowing them to execute PowerShell commands that would otherwise be blocked when WDAC is enabled.
“To exploit the vulnerability, an attacker needs administrative access to a local machine where PowerShell is running. The attacker could then connect to a PowerShell session and send commands to execute arbitrary code, ”explains Microsoft.
The second vulnerability, identified as CVE-2021-41355, is an information disclosure vulnerability in .NET Core where credentials could be disclosed in clear text on devices running non-Windows platforms.
“An information disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send plain text credentials on non-Windows operating systems,” Microsoft said.
How to know if you are affected
Vulnerability CVE-2020-0951 affects both PowerShell 7 and PowerShell 7.1 versions, while CVE-2021-41355 only affects PowerShell 7.1 users.
To check the version of PowerShell you are running and determine if you are vulnerable to attacks that exploit these two bugs, you can run the
pwsh -v command from a command prompt.
Microsoft says that no mitigation measures are currently available to block the exploitation of these security vulnerabilities.
Administrators are advised to install updated versions of PowerShell 7.0.8 and 7.1.5 as soon as possible to protect systems from potential attacks.
“System administrators are encouraged to update PowerShell 7 to an unaffected version,” Microsoft added. Details on affected PowerShell versions and patched versions can be found here and here.
In July, Microsoft warned of another high severity .NET Core remote code execution vulnerability in PowerShell 7.
Microsoft recently announced that it will make it easier to update PowerShell for Windows 10 and Windows Server clients by releasing future updates through the Microsoft Update service.