Microsoft asks admins to patch PowerShell to fix WDAC bypass

LASER_oneXM

Level 37
Verified
Feb 4, 2016
2,579
14,612
Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials.

PowerShell is a cross-platform solution that provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets.
Redmond released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security flaws in the PowerShell 7 and PowerShell 7.1 branches in September and October.

How to tell if you are affected​

The CVE-2020-0951 vulnerability affects both PowerShell 7 and PowerShell 7.1 versions, while CVE-2021-41355 only impacts users of PowerShell 7.1.
To check the PowerShell version you are running and determine if you are vulnerable to attacks exploiting these two bugs, you can execute the pwsh -v command from a Command Prompt.

Microsoft says no mitigation measures are currently available to block the exploitation of these security flaws.
Admins are advised to install the updated PowerShell 7.0.8 and 7.1.5 versions as soon as possible to protect systems from potential attacks.
 

Sammo

Level 3
Jan 27, 2012
117
357
Doesn't work.
 

Attachments

  • pwsh-1.jpg
    pwsh-1.jpg
    83.9 KB · Views: 53

Kees1958

Level 4
Verified
Sep 5, 2021
177
965
The MSI version for home users can be downloaded and installed from here:


This should patch the flaw in the affected PS version on Windows 11. Users are advised to install it ASAP.
I sill have 5.1 on Windows 11, so I would rather advise to check which version is installed first (see post #3).

According the info @notyonachos posted, home users don't need V7, also V5 and V7 keep existing side by side. So when home users have "upgraded" to V7, I would strongly advise to de-install this V7 powershell attack surface "upgrade".
 
Last edited:
Top