Researchers at Aqua Nautilus have identified significant flaws in the PowerShell Gallery’s policy regarding package names and owners [8]. These flaws pose significant risks to organizations using PowerShell Gallery modules [8], especially in cloud environments [8].
Description
Researchers at Aqua Nautilus have discovered flaws in the PowerShell Gallery’s policy regarding package names and owners [8]. These flaws include weak protections against typosquatting attacks, where threat actors use similar names to popular packages to trick users into downloading malicious ones [4]. Additionally, the flaws make it difficult for users to identify the true owner of a package [2] [5] [6] [7] [8], as attackers can upload malicious PowerShell modules that appear genuine to unsuspecting users [2] [5]. Aqua recommends implementing a strict package naming policy [3], verifying authorship [3], and restricting access to unlisted packages to mitigate these risks. They also suggest using signed modules, trusted private repositories [1] [3] [4], and caution when downloading new modules [1] [4]. Aqua emphasizes the need for PowerShell Gallery to enhance its security measures to protect users [2] [6]. Furthermore, Aqua discovered an API that allows threat actors to find unlisted modules and potentially sensitive data [1] [4], highlighting the importance of improving package ownership visibility and implementing a robust continuous monitoring system. Despite reporting the flaws to Microsoft [8], the issues remain unresolved [8]. The PowerShell Gallery is a central repository for sharing and acquiring PowerShell code [6], with over 11,000 unique packages [6].
Conclusion
These flaws in the PowerShell Gallery’s policy regarding package names and owners have significant implications for organizations using PowerShell Gallery modules, particularly in cloud environments [8]. Mitigations such as implementing a strict package naming policy, verifying authorship [3], and restricting access to unlisted packages are recommended. Additionally, the use of signed modules, trusted private repositories [1] [3] [4], and caution when downloading new modules can help mitigate these risks. It is crucial for PowerShell Gallery to enhance its security measures to protect users and prevent potential attacks. The discovery of an API that allows threat actors to find unlisted modules and potentially sensitive data further emphasizes the need for improving package ownership visibility and implementing a robust continuous monitoring system. The unresolved issues reported to Microsoft highlight the importance of addressing these flaws promptly to ensure the safety and security of users.
References
[1] https://www.darkreading.com/application-security/powershell-gallery-prone-to-typosquatting-other-supply-chain-attacks
[2] https://thehackernews.com/2023/08/experts-uncover-weaknesses-in.html
[3] https://www.csoonline.com/article/649716/report-powershell-gallery-susceptible-to-typosquatting-and-other-package-management-attacks.html
[4] https://www.threatshub.org/blog/powershell-gallery-prone-to-typosquatting-other-supply-chain-attacks/
[5] https://patabook.com/technology/2023/08/16/experts-uncover-weaknesses-in-powershell-gallery-enabling-supply-chain-attacks/
[6] https://www.redpacketsecurity.com/experts-uncover-weaknesses-in-powershell-gallery-enabling-supply-chain-attacks/
[7] https://gixtools.net/2023/08/experts-uncover-weaknesses-in-powershell-gallery-enabling-supply-chain-attacks/
[8] https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expose-users-to-attacks
