February 3, 2023

Microsoft announced a patch for PowerShell 7 that fixes two vulnerabilities allowing attackers to bypass WDAC (Windows Defender Application Control) enforcement and gain access to credentials written in plain text. Microsoft released PowerShell 7.0.8 and PowerShell 7.1.5 to fix the vulnerabilities in PowerShell version 7 and 7.1 branches in September and October.

WDAC protects Windows devices against potential malicious software by checking the applications and drivers running whether they are in the trusted apps list or not. If the application is in the list, it allows Windows operating system to run the software. Otherwise, it blocks the malware or unwanted software from launching. If the WDAC security layer is enabled, PowerShell automatically goes in to constrained language mode and allows access to only a limited set of Windows APIs.

When the vulnerability tracked as CVE-2020-0951 is exploited, the attacker can bypass the Windows Defender Application Control security feature by manipulating the WDAC allow-list, and execute PowerShell commands, which in normal conditions should be blocked when WDAC is enabled. The second vulnerability is tracked as CVE-2021-41355 is an information disclosure in .NET Core. By exploiting this vulnerability, the attacker can access the credentials in clear text on devices running non-Windows platforms.

To check the PowerShell version, you can execute the command below, from the Command Prompt. If your version is lower than the versions mentioned above, we strongly advise to update your PowerShell to the secure versions that are PowerShell 7.0.8 and PowerShell 7.1.5 as soon as possible.

pwsh -v

Leave a Reply

%d bloggers like this: