Security | Vulnerability Scans and Assessment

Fix WDAC vulnerabilities by updating PowerShell

update-powershell

Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes policy rules that control options such as audit mode and file rules (or file rule levels) that specify how applications are identified and trusted. Microsoft Defender Application Control changes the security application model from trust everything to trust nothing until the trust is earned. This whitelisting approach offers significant security improvements. This way, it blocks unknown applications, such as malware, such that only trusted applications can run. Kindly refer to the following guides. “how to set PowerShell Execution Policy via Windows Settings, how to set Execution Policy via Windows PowerShell, how to set the PowerShell Execution Policy via Windows Registry, and How to update PowerShellGet and Package Management.

Microsoft has asked system administrators to patch their PowerShell 7 installations against two vulnerabilities that can allow attackers to bypass Windows Defender Application Control (WDAC) to run arbitrary code, and even gain access to plain text credentials.

Microsoft has recommended System Admins to patch PowerShell 7 to help fix these WDAC vulnerabilities. As they could allow attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. These security flaws in PowerShell 7 and PowerShell 7.1 received the PowerShell 7.0.8 and PowerShell 7.1.5 security updates branches in September and October.

How Passwords can be leaked by WDAC bypass?

By default, Windows devices from potentially malicious software safeguarded by WDAC by design. It does this by permitting only trusted apps and drivers to run, thereby blocking malware and unwanted software from launching. Enabling the software-based WDAC security layer in Windows triggers an automatic transition of PowerShell into constrained language mode. This limits access exclusively to a restricted set of Windows APIs.

Threat actors can exploit the CVE-2020-0951 vulnerability, which bypasses the Windows Defender Application Control security feature. Exploiting this vulnerability empowers malicious actors with the capability to circumvent WDAC’s allow list. As such PowerShell commands that WDAC normally blocks when active would execute. In order to exploit this vulnerability, an attacker needs administrator access on a local machine where PowerShell is running. The attacker could then connect to a PowerShell session and send commands to execute arbitrary code,” Microsoft explains.

Kinds of Information this vulnerability could disclose (CVE-2021-41355)

Successful exploitation of this vulnerability by an attacker could result in the disclosure of sensitive information. CVE-2021-41355, a tracked flaw, represents an information disclosure vulnerability within .NET Core. On non-Windows platforms, this vulnerability could potentially lead to the clear text leakage of credentials.

An Information Disclosure vulnerability exists in Microsoft Dotnet (.NET) where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on non-Windows Operating systems,” Microsoft said. To check for vulnerability, the CVE-2020-0951 vulnerability affects PowerShell 7 and PowerShell 7.1 versions, while CVE-2021-41355 only impacts users of PowerShell 7.1. Here are some related guides: how to update PowerShellGet and Package Management via Group Policy Object, and how you can install and update PowerShell 7 via GPO.

Verify your PowerShell version to assess vulnerability to attacks exploiting these bugs effectively. Run the following command to determine your PowerShell version. Reference: BleepingComputer!

pwsh -v

Microsoft says no mitigation measures are currently available to block the exploitation of these security flaws. We strongly recommend that System Administrators install the updated versions of PowerShell 7.0.8 and 7.1.5 as soon as possible. This will help protect systems from potential attacks.

Microsoft’s latest announcement states easier PowerShell updates for Windows 10 and Windows Server users via the Microsoft Update service. See this guide on “how to install and update PowerShell version 7 on Windows and Linux“.

Here is a one-liner that you can use to install and update PowerShell version 7. You can use this single command in Windows PowerShell to install PowerShell 7.

iex "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI"

I hope you found this blog post on how to fix for WDAC vulnerabilities helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x