Microsoft Asks Admins To Patch PowerShell To Fix WDAC Bypass
Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials.
PowerShell is a cross-platform solution that provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets.
Redmond released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security flaws in the PowerShell 7 and PowerShell 7.1 branches in September and October.
Leaked passwords and WDAC bypass
WDAC is designed to protect Windows devices against potentially malicious software by ensuring that only trusted apps and drivers can run, thus blocking malware and unwanted software from launching.
When the software-based WDAC security layer is enabled in Windows, PowerShell automatically goes into constrained language mode, restricting access to only a limited set of Windows APIs.
By exploiting the Windows Defender Application Control security feature bypass vulnerability tracked as CVE-2020-0951, threat actors can circumvent WDAC’s allowlist, which allows them to execute PowerShell commands that would otherwise be blocked when WDAC is enabled.
“To exploit the vulnerability, an attacker need administrator access on a local machine where PowerShell is running. The attacker could then connect to a PowerShell session and send commands to execute arbitrary code,” Microsoft explains.
The second flaw, tracked as CVE-2021-41355, is an information disclosure vulnerability in .NET Core where credentials could be leaked in clear text on devices running non-Windows platforms.
“An Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on non-Windows Operating systems,” Microsoft said.
How to tell if you are affected
The CVE-2020-0951 vulnerability affects both PowerShell 7 and PowerShell 7.1 versions, while CVE-2021-41355 only impacts users of PowerShell 7.1.
To check the PowerShell version you are running and determine if you are vulnerable to attacks exploiting these two bugs, you can execute the
pwsh -v command from a Command Prompt.
Microsoft says no mitigation measures are currently available to block the exploitation of these security flaws.
“System administrators are advised to update PowerShell 7 to an unaffected version,” Microsoft added. Details on what PowerShell versions are affected and the fixed versions can be found here and here.
In July, Microsoft warned of another high severity .NET Core remote code execution vulnerability in PowerShell 7.
Microsoft recently announced that it would be making it easier to update PowerShell for Windows 10 and Windows Server customers by releasing future updates via the Microsoft Update service.