Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

PowerShell Gallery Users Vulnerable to Typosquatting Attacks

The Windows PowerShell scripting language is incredibly powerful, able to hook into lots of low-level functionality in the underlying operating system, and hence is extremely popular with system administrators, as well as developers of admin tools. Of course, the same attributes make PowerShell attractive to threat actors, too, and they use PowerShell scripts in a range of attacks.

Now researchers at Aqua have drawn attention to a major vulnerability in the PowerShell software supply chain - specifically, in PowerShell Gallery, which is the major repository of PowerShell packages. PowerShell Gallery hosts thousands of packages and boasts billions of downloads - it is the first place administrators and PowerShell developers will turn to when looking for packages useful in their work. However, a lax approach to validating the names of submitted packages makes it possible for attackers to dupe victims into installing malicious packages.

Other repositories and package managers, such as npm, impose rules which prevent the creation of packages with a similar name to existing, legitimate, packages. For example, there is an existing npm package called reactnative, and as a consequence, no-one can create packages with names like react_native, react-native, react.native and so on. If they try, the server responds with a 403 Forbidden status.

There is no such checking in PowerShell Gallery. In addition, the use of periods in package names, such as the "Az." prefix for names of packages relating to Azure, is only a convention, and not a scoping rule that restricts the creation of packages within a domain. The Aqua researchers give the example of Aztable, a popular module which provides functions for manipulation of Azure Storage Tables - there is nothing to stop someone creating a module called Az.Table.

The problem is exacerbated by the fact that module creators can fake almost every detail in the landing page for their module, making it appear to be the legitimate package which they are spoofing. Determining the real author of a PowerShell module can be near-impossible.

These are not the only problems with PowerShell Gallery; the Aqua researchers also found a way to enumerate unlisted modules, including those which were hidden because they exposed secrets such as API keys. But they went on to create a proof-of-concept for a typosquatting attack, creating a fake module which would reveal when it was downloaded and deployed - and within just hours, they started receiving responses from hosts across multiple cloud services.

The researchers disclosed their findings to the Microsoft Security Resource Center in late September of 2022; however, as of 16 August 2023, the vulnerabilities seem to remain.

Weinberger, Mor, Yakir Kadkoda and Ilay Goldman, PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks, blog post, 16 August 2023. Available online at https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expose-users-to-attacks.

Citrix ShareFile Vulnerability Exploitation in the Wild

The Cybersecurity & Infrastructure Security Agency has added one vulnerability to its Known Exploited Vulnerabilities Catalog this week - CVE-2023-24489, a vulnerability in Citrix ShareFile, also known as Citrix Content Collaboration. This is a nasty one, with a CVSS 3.x base score of 9.8 (although Citrix rate it at only 9.1).

This vulnerability goes back to early June, when it was disclosed to Citrix by AssetNote researcher Dylan Pindur, who was able to use it "to achieve unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly innocuous cryptographic bug". The bug in question allows what is essentially a variant of a padding oracle attack, and Pindur's blog provides a nice potted explanation and demonstration of its operation.

ShareFile users should update to ShareFile storage zones controller 5.11.24 or later. This is especially important now that the vulnerability is being actively exploited.

Citrix, ShareFile StorageZones Controller Security Update for CVE-2023-24489, security bulletin, 13 June 2023. Available online at https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489.

Pindur, Dylan, Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489), blog post, 4 July 2023. Available online at https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.