Microsoft fails to fix major PowerShell Gallery security flaws even after claiming it did

Aug 17, 2023 12:00 am Cyber Security 110

The security researcher team at AquaSec (Aqua Security) has published a report which highlights a series of major security vulnerabilities currently residing in Microsoft's PowerShell Gallery. As the name suggests, the PowerShell Gallery or PSGallery is a repository that contains scripts, modules, and Desired State Configuration (DSC) resources.

AquaSec explains in its report that there are three major flaws in PSGallery, centered around deception and forgery. The surprising thing about the matter though is that Microsoft has apparently been aware of the issue for a very long time and has yet to implement any fix. AquaSec states:

Despite reporting the flaws to the Microsoft Security Response Center on two separate occasions, with confirmation of the reported behavior and claims of ongoing fixes, as of August 2023, the issues remain reproducible, indicating that no tangible changes have been implemented.

To give us a better idea of what it meant, AquaSec has also published the entire vulnerability disclosure timeline which suggests that the tech giant has been aware of the issue since September last year. In fact, in March 2023, Microsoft seemingly confirmed that "reactive fixes" were out.

Disclosure timeline

27 September 2022 - Aqua Research team reported flaws to MSRC.

20 October 2022 - MSRC confirmed the behavior we reported.

2 November 2022 - MSRC stated that the issue has been fixed (cannot provide details of product fixes in Online Services).

26 December 2022 - We reproduced the flaws (no prevention).

03 January 2023 - Aqua Research team reopened the report about flaws MSRC.

03 January 2023 - MSRC confirmed the behavior we reported.

10 January 2023 - MSRC marked the report as Resolved.

15 January 2023 - MSRC responded, "The engineering team is still working on fixing the Typosquatting and package ..

Support the originator by clicking the read the rest link below.