Focus on source code security, collect the latest information at home and abroad!
Compile: Code Guard
Multiple vulnerabilities exist in PowerShell Gallery that could trigger a supply chain attack against registry users.
"These vulnerabilities make typosquatting attacks in the registry inevitable and make it extremely difficult for users to identify the true owner of the package," researchers Mor Weinberger, Yakir Kadkoda, and IIay Goldman from Aqua Security said in the report.
PowerShell Gallary, maintained by Microsoft Corporation, is a central repository for sharing and obtaining PowerShell code such as PowerShell modules, scripts, and DSC resources. The registry has 11,829 unique entries and 244,615 packages.
The flaws are related to the service's lax policy on package names and lack of defense against typosquatting attacks, allowing attackers to upload malicious PowerShell modules that unsuspecting users believe to be legitimate.
Typosquatting is a proven infection vector in which attackers poison the open source software ecosystem by publishing packages with names similar to popular and legitimate modules released through repositories.
The second flaw could allow malicious actors to sniff a module's metadata, including author, copyright, and description fields, to make it appear more legitimate, thereby tricking unsuspecting users into installing it. "The only way for a user to determine the author/owner is to open the 'Package Details' tab. However, this only leads to the user opening a fake author's profile, as the attacker is free to choose any name at the moment of user creation in PowerShell Gallery," the researchers wrote. Therefore, it is a difficult task to determine the real users of PowerShell modules in PowerShell Gallery."
The third vulnerability can be abused to enumerate all package names and scripts, including those not listed and not publicly discoverable. An attacker can exploit the PowerShell API "https://www.powershellgallery.com/api/v2/Packages?$skip=number", which can lead the attacker to gain unrestricted access to the complete PowerShell package database including associated versions, etc.
"This unrestricted access allows malicious actors to search for potentially sensitive information in unlisted packages, making any unlisted package containing sensitive data vulnerable to compromise," the researchers explained.
Aqua mentioned that it notified Microsoft of these weaknesses in September 2022, and the latter said it had rolled out a patch on March 7, 2023. However, these issues are still reproducible.
"As our reliance on open source projects and registries grows, so do the security risks associated with them," the researchers said. "The onus for protecting users lies primarily with the platforms. It is imperative that PowerShell Gallery and platforms like it take steps to harden their safety."
Code Guard Trial Address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
recommended reading
Online reading version: "2023 China Software Supply Chain Security Analysis Report" full text
Malicious npm package extracts sensitive developer data
NPM Ecosystem Vulnerable to Manifest Obfuscation Attacks
The npm ecosystem is attacked by a unique execution chain
Malware TurkoRat Hidden in NPM Malware
Hackers inject malicious packages into NPM to launch DoS attacks
Original link
https://thehackernews.com/2023/08/experts-uncover-weaknesses-in.html
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qi Anxin Code Guard https://codesafe.qianxin.com".
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you feel good, just click "Looking" or "Like"~