Security researchers from Aqua have revealed significant vulnerabilities within the PowerShell Gallery, a central repository for sharing and acquiring PowerShell code, potentially enabling supply chain attacks.
Threat actors could exploit these flaws to execute typosquatting attacks, making it difficult for users to identify authentic package owners. Microsoft maintains the PowerShell Gallery, which hosts over 11,800 unique packages and 244,600 packages in total.
The vulnerabilities primarily stem from loose policies around package names, allowing attackers to upload malicious PowerShell modules that appear genuine. Additionally, attackers could spoof metadata, misleading users into installing compromised modules.
A secondary vulnerability allows malicious actors to manipulate module metadata, such as Author, Copyright, and Description fields, to enhance the legitimacy of malicious packages.
This deception complicates users’ ability to verify the true package authorship, as they are led to the profile of the fake author chosen by the attacker during user creation. Another flaw enables attackers to enumerate all package names and versions, including unlisted ones hidden from public view. This access, enabled by exploiting the PowerShell API, poses a risk to sensitive information within unlisted packages, potentially leading to compromise.
While Aqua reported these issues to Microsoft in September 2022, and the company implemented reactive fixes by March 7, 2023, the vulnerabilities remain reproducible.
As open-source projects and repositories like PowerShell Gallery play an increasingly critical role, the researchers emphasized the need for robust security measures. The researchers called on platform operators, including PowerShell Gallery, to take proactive steps in enhancing security to protect users from potential threats.