Active Flaws in PowerShell Gallery: A Gateway for Supply Chain Attacks

The PowerShell Gallery, a central repository maintained by Microsoft for sharing and acquiring PowerShell code, has recently faced heightened scrutiny due to a series of active vulnerabilities that pose a significant risk of supply chain attacks against its users. These flaws, uncovered by security researchers from Aqua, have shed light on potential weaknesses in the security measures of the PowerShell Gallery.

Flaw 1: Typosquatting Attacks

One of the vulnerabilities discovered by Aqua’s researchers revolves around the lenient policy of the PowerShell Gallery regarding package names. This weakness creates an opportunity for typosquatting attacks, where malicious PowerShell modules can be uploaded, pretending to be legitimate packages. It becomes incredibly challenging for unsuspecting users to determine the true owner of a package, as these flaws make it difficult to distinguish between genuine and rogue modules. Microsoft recommends relying on the “Owner” field, as the “Author” metadata is not verified by the company. However, the “Author” field is prominently displayed by default, while the “Owner” field remains hidden, further complicating the identification process.

Flaw 2: Spoofing Module Metadata

In addition to the typosquatting vulnerability, Aqua’s researchers have uncovered a flaw that enables malicious actors to spoof module metadata. By manipulating fields such as Author(s), Copyright, and Description, attackers can make their malicious modules appear more authentic to unsuspecting users. The researchers emphasize that the only way for users to ascertain the true author/owner is by navigating to the “Package Details” tab. However, this can inadvertently lead them to the profile of the fake author, as attackers have the liberty to freely choose any name during the user creation process. The ability to deceive users into installing malicious modules undermines the trust and security of the PowerShell Gallery.

Flaw 3: Exposing Unlisted Packages

Aqua’s researchers have identified another critical flaw related to the exposure of unlisted packages and their associated secrets. According to the documentation of the PowerShell Gallery, unlisted packages should not be visible in search results or through the API. However, attackers can exploit an API vulnerability to discover and access these supposedly hidden packages. This discovery raises significant concerns as package authors might unintentionally include sensitive information in unlisted versions. The researchers at Aqua were surprised to find publishers who unknowingly uploaded files containing API keys and other confidential data. The exposure of such secrets poses a threat not only to individual users but also to organizations, including a major technology company that prefers to remain anonymous.

Mitigation Steps

In September 2022, Aqua Security promptly reported these flaws to Microsoft. Although reactive fixes were implemented by March 7, 2023, the vulnerabilities remain. Consequently, the PowerShell Gallery and similar platforms must take necessary measures to enhance their security. Here are some recommended steps for mitigation:

Strict Package Naming Policy: Implementing a strict package naming policy can help prevent typosquatting attacks. By verifying authorship and restricting the use of deceptive package names, the PowerShell Gallery can reduce the risk of users installing malicious modules.
Enhanced Verification Process: Microsoft should consider implementing a verification process for the “Author” metadata field, increasing its reliability and reducing the likelihood of spoofed module metadata. This would help users identify the true authors and owners of packages with greater confidence.
Restricted Access to Unlisted Packages: The PowerShell Gallery should strengthen its access controls to prevent unauthorized enumeration and access to unlisted packages. By strictly enforcing the unlisting feature and ensuring that unlisted packages remain hidden from public view, the platform can safeguard sensitive information from potential compromise.
Enforce Execution of Signed Scripts: To further enhance security, it is recommended to enforce a policy that only allows the execution of signed scripts. This requirement ensures that any script or module, including those downloaded from the PowerShell Gallery, must be digitally signed with a trusted certificate before they can be run.
Trusted Private Repository: Organizations can mitigate the risks associated with the PowerShell Gallery by utilizing trusted private repositories. By managing and consuming private modules in a more secure environment, organizations can minimize their exposure to potential supply chain attacks.
Regular Scanning for Sensitive Data: It is crucial to regularly scan the source code of modules for any exposed secrets. Conducting security assessments of repositories that store and manage module code can help identify and address any vulnerabilities promptly. Additionally, promptly rotating exposed secrets is essential to prevent exploitation by malicious actors.
Implement Continuous Monitoring: Maintaining a robust continuous monitoring system is crucial for identifying potential threats and suspicious activities within CI/CD pipelines and cloud infrastructure. By actively monitoring and detecting deviations from established normal profiles, organizations can promptly respond to potential attacks. This proactive approach ensures timely mitigation and enhances overall security measures.

Conclusion

The PowerShell Gallery has identified active flaws that pose a significant risk of supply chain attacks against its users. Aqua’s researchers have shed light on vulnerabilities in the platform’s package naming policy, module metadata verification, and access controls for unlisted packages. Immediate action is needed from the PowerShell Gallery and similar platforms to enhance their security measures. By implementing stringent policies, improving verification processes, and strengthening access controls, the PowerShell Gallery can mitigate the risk of supply chain attacks and enhance the overall security of its users. Organizations should also adopt additional security measures, such as enforcing the execution of signed scripts and utilizing trusted private repositories, to further protect themselves from potential threats. Regular scanning for sensitive data and implementing continuous monitoring are essential practices to detect and respond to emerging risks. As we increasingly rely on open-source projects and registries, platform providers must prioritize the security of their users to reduce the attack surface and safeguard against supply chain attacks.

Purple Shield Security is not your typical cybersecurity consulting firm. We are the guardians of your digital realm, committed to protecting your business from the constantly evolving landscape of cyber threats. With a dedicated team of passionate security professionals by your side, we go above and beyond mere data and system protection – we provide you with peace of mind. Our comprehensive range of services includes Security Assessments, Penetration Testing, Incident Response, and more. By harnessing cutting-edge solutions and leveraging our expertise, we empower you to fortify your web applications and minimize vulnerability to attacks.

Don’t wait to secure your business. Get in touch with us today and discover how Purple Shield Security can revolutionize your cybersecurity defenses.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.