The PowerShell Gallery’s Achilles’ heel: Typosquatting and More Supply Chain Attacks

Microsoft’s PowerShell Gallery Exposes Software Supply Chain Risk

Researchers at Aqua Nautilus have identified a potential security risk in Microsoft’s PowerShell Gallery, citing weak protections against attackers uploading malicious packages to the online repository. The team tested the repository’s policies and discovered that threat actors could easily abuse them to spoof legitimate packages and make it difficult for users to identify the true owner of a package.

Supply Chain Risk and Recommendations

Aqua’s lead security researcher, Yakir Kadkoda, advises organizations that use PowerShell modules from the gallery to only utilize signed modules and trusted private repositories. Additionally, caution should be exercised when downloading new modules/scripts from registries. Kadkoda also urges similar platforms to PowerShell Gallery to enhance their security measures, particularly by implementing mechanisms that prevent developers from uploading modules with names too similar to existing ones.

Microsoft was notified about the issues and claimed to have addressed them, although Aqua’s continued checks indicate that the issues still exist as of August 16th. At the time of reporting, Microsoft had not responded to requests for comment.

PowerShell Gallery: Purpose and Usage

PowerShell Gallery is a widely used repository for finding, publishing, and sharing PowerShell code modules and desired state configuration (DSC) resources. The repository contains packages from trusted entities like Microsoft, AWS, and VMware, as well as contributions from the community. In 2021 alone, there have been over 1.6 billion package downloads from the gallery.

Typosquatting Vulnerability

One vulnerability identified by Aqua is the lack of protection against typosquatting. This technique involves threat actors using names that phonetically resemble popular and legitimate package names on public software repositories, with the intention of tricking users into downloading malicious packages. Aqua found that PowerShell Gallery’s policies did little to guard against this deception. Various Azure packages on the repository followed a specific naming pattern, such as “Az.<package_name>.” However, popular Azure packages like “Aztable” did not follow this pattern and lacked a dot in the name. Aqua demonstrated that it was able to upload a nearly perfect replica of “Aztable” by labeling it as “Az.Table.” The PoC code included a callback that showed multiple hosts across various cloud services downloading the package within hours.

Kadkoda highlights that other registries, such as npm, take more proactive measures to combat typosquatting. For example, npm uses “Moniker” rules that prohibit module names with slight variations from existing packages. These measures effectively prevent the creation of names like “reactnative” or “react.native” when a package named “react-native” already exists.

Impersonation of Package Owners

Aqua also discovered a vulnerability that allows threat actors to make a malicious package appear legitimate by faking crucial details such as the Author(s), Description, and Copyright fields. The PowerShell Gallery allows an attacker to freely choose any name when creating a user, making it challenging to determine the actual author of a PowerShell module. Unsuspecting users may be easily deceived into believing that the author of a malicious package is a legitimate entity, such as Microsoft.

Unlisted Modules and Sensitive Data Exposure

Aqua’s analysis revealed an issue with PowerShell Gallery’s APIs that allowed threat actors to find unlisted modules on the registry, along with any associated sensitive data. Unlisted modules are typically private and should not be discoverable through a search of the repository. Aqua researchers not only managed to retrieve such modules but also found one containing sensitive secrets belonging to a large technology company.

Kadkoda emphasizes that there is currently no evidence of threat actors leveraging these weaknesses to introduce malicious packages into PowerShell Gallery. However, the risk remains, as Microsoft’s scanning of PowerShell modules/scripts uploaded to the gallery represents a constantly evolving cat-and-mouse game between their solution and attackers.

Editorial: Balancing User Convenience and Security in Software Repositories

The recent findings by Aqua Nautilus shed light on the challenges faced by software repositories in maintaining a balance between user convenience and security. While repositories like PowerShell Gallery provide a valuable resource for developers, the widespread adoption and trust placed in them make them an attractive target for attackers. The identified vulnerabilities, such as weak protections against typosquatting and the ease of spoofing package owners, demonstrate the importance of continuous security enhancements for these platforms.

It is encouraging to see Aqua Nautilus pointing out the disparity between the security measures implemented by PowerShell Gallery and other registries like npm. Platforms housing repositories should learn from each other and adopt best practices to create a safer ecosystem for developers and users alike. Implementing mechanisms to prevent typosquatting and ensuring strict validation of package ownership details are essential steps.

Furthermore, repositories need to invest in regular security audits and vulnerability assessments to proactively identify and address potential risks. Collaborative efforts between platform operators, security researchers, and the community can contribute to reducing the likelihood of supply chain attacks and protecting users from unwittingly downloading malicious software. Transparency and clear communication between platforms and their users are crucial in creating a culture of shared responsibility.

Advice for Users of PowerShell Gallery and Similar Repositories

Given the identified vulnerabilities in PowerShell Gallery, users should exercise caution when accessing and utilizing packages, especially those without proper verification or those originating from unknown sources. To mitigate risk, it is recommended to:

1. Use Signed PowerShell Modules:

Prioritize the use of signed PowerShell modules from trusted sources. Signed modules offer an additional level of assurance regarding the integrity and authenticity of the code.

2. Verify Package Owners:

Perform due diligence when evaluating the author details, description, and copyright fields of packages. Exercise skepticism if the package’s author appears unrelated to its content or if the package lacks proper identification of its author.

3. Leverage Trusted Private Repositories:

Consider utilizing trusted private repositories that have strict security measures in place. These repositories often provide better control over the packages available and reduce the risk of unknowingly downloading malicious code.

4. Exercise Caution When Downloading New Modules:

When downloading new modules or scripts from registries, remain cautious and thoroughly evaluate their legitimacy. Be mindful of potential typosquatting attempts and verify the package names, descriptions, and author information.

5. Stay Informed and Report Suspicious Packages:

Stay informed about the latest security advisories and vulnerabilities related to the repositories you use. If you come across suspicious packages or encounter any potential security concerns, promptly report them to the repository platform and provide detailed information to aid investigations and mitigation efforts.

By following these guidelines and maintaining vigilance, users can mitigate some of the risks associated with software supply chain attacks and protect their systems from potential harm.