Threats to the PowerShell Gallery: criticalities and dangers

Security experts at Aqua have reported a number of issues that could lead to insidious attacks via the PowerShell Gallery. The lack of strict package naming policies allows attackers to load malicious modules that appear legitimate to unsuspecting users, creating "squatting" attacks. Furthermore, another serious flaw lies in the possibility for an attacker to spoof a form's metadata, deceiving users as to its authenticity. To address these issues, Aqua reported the issues to Microsoft, but despite the reactive measures already in place, the issues still remain reproducible.

Vulnerabilities that allow listing hidden packages

A third discovered bug allows attackers to enumerate all package names and versions, including those not listed and which should be hidden from the public. This is achieved using the PowerShell API which allows unrestricted access to the complete database of PowerShell packages, including sensitive data contained in packages not listed. This vulnerability opens the door to compromise unlisted packages that contain sensitive data. The problem has been reported to Microsoft, but the solutions adopted so far have not been sufficient to permanently resolve the problem.

The responsibility of platforms in user safety

In a world increasingly dependent on open-source projects and registries, the associated security risks increase significantly. Therefore, it is imperative that platforms like the PowerShell Gallery have adequate security measures in place to protect users. Aqua experts point out that the responsibility for ensuring security lies primarily with the platform itself. In this sense, Aqua has sent the report to Microsoft, but further actions need to be taken to improve the security measures.