Security | Vulnerability Scans and Assessment

Microsoft recommends a fix for WDAC vulnerabilities by updating PowerShell


Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes policy rules that control options such as audit mode and file rules (or file rule levels) that specify how applications are identified and trusted. Microsoft Defender Application Control changes the security application model from trust everything to trust nothing until the trust is earned. This whitelisting approach offers significant security improvements as only trusted applications can run while unknown applications, such as malware, will never be allowed to. Kindly refer to the following guides. “how to set PowerShell Execution Policy via Windows Settings, how to set Execution Policy via Windows PowerShell, how to set the PowerShell Execution Policy via Windows Registry, and How to update PowerShellGet and Package Management.

Microsoft has asked system administrators to patch their PowerShell 7 installations against two vulnerabilities that can allow attackers to bypass Windows Defender Application Control (WDAC) to run arbitrary code, and even gain access to plain text credentials.

Microsoft has recommended System Admins to patch PowerShell 7 against these vulnerabilities that allow attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. Microsoft has released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security flaws in the PowerShell 7 and PowerShell 7.1 branches in September and October.

How are Passwords leaked by WDAC bypass?

WDAC by default is designed to protect Windows devices against potentially malicious software by permitting only trusted apps and drivers to run, thereby blocking malware and unwanted software from launching. When the software-based WDAC security layer is enabled in Windows, PowerShell automatically goes into constrained language mode, restricting access to only a limited set of Windows APIs.

By exploiting the Windows Defender Application Control security feature bypass vulnerability tracked as CVE-2020-0951, threat actors can circumvent WDAC’s allowlist, which allows them to execute PowerShell commands that would otherwise be blocked when WDAC is enabled. In order to exploit this vulnerability, an attacker needs administrator access on a local machine where PowerShell is running. The attacker could then connect to a PowerShell session and send commands to execute arbitrary code,” Microsoft explains.

What type of information could be disclosed by this vulnerability (CVE-2021-41355)?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. This flaw is tracked as CVE-2021-41355, is an information disclosure vulnerability in .NET Core where credentials could be leaked in clear text on devices running non-Windows platforms.

An Information Disclosure vulnerability exists in Microsoft Dotnet (.NET) where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on non-Windows Operating systems,” Microsoft said. How to tell if you are affected. The CVE-2020-0951 vulnerability affects PowerShell 7 and PowerShell 7.1 versions, while CVE-2021-41355 only impacts users of PowerShell 7.1. Here are some related guides: how to update PowerShellGet and Package Management via Group Policy Object, and how you can install and update PowerShell 7 via GPO.

You can check the version of PowerShell you are running to determine if you are vulnerable to these attacks exploiting these bugs. Run the following command to determine your PowerShell version. Reference: BleepingComputer!

pwsh -v

Microsoft says no mitigation measures are currently available to block the exploitation of these security flaws. System Administrators are advised to install the updated PowerShell 7.0.8 and 7.1.5 versions as soon as possible to protect systems from potential attacks.

Microsoft recently announced that it would be making it easier to update PowerShell for Windows 10 and Windows Server customers by releasing future updates via the Microsoft Update service. See this guide on “how to install and update PowerShell version 7 on Windows and Linux“.

Here is a one-liner that you can use to install and update PowerShell version 7. You can use this single command in Windows PowerShell to install PowerShell 7.

iex "& { $(irm } -UseMSI"

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x