Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion: Microsoft Security Advisory CVE-2018-0786: Security Feature Bypass in X509 Certificate Validation #6031

Closed
TravisEz13 opened this issue Jan 25, 2018 · 3 comments
Closed

Discussion: Microsoft Security Advisory CVE-2018-0786: Security Feature Bypass in X509 Certificate Validation #6031

TravisEz13 opened this issue Jan 25, 2018 · 3 comments
Labels
Issue-Announcement the issue is for discussing an Announcement Resolution-Fixed The issue is fixed.

Comments

@TravisEz13
Copy link
Member

Microsoft Security Advisory CVE-2018-0786

Security Feature Bypass in X509 Certificate Validation

Executive Summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the open source versions of PowerShell Core 6.0. This advisory also provides guidance on what developers can do to update their scripts and module correctly.

Microsoft is aware of a security vulnerability in the open source versions of PowerShell Core where an attacker could present a certificate that is marked invalid for a specific use, but a .NET Core component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.

The security update addresses the vulnerability by ensuring that .NET Core components completely validate certificates.

System administrators are advised to update their PowerShell Core to version 6.0.1. This version will also address CVE-2018-0764.

Affected Software

The vulnerability affects PowerShell Core prior to version 6.0.1

Advisory FAQ

How do I know if I am affected?

If all of the following are true:

  1. Run pwsh -v (if, you cannot launch PowerShell Core using pwsh you are affected). If the reported version starts with 6.0.0, you are affected.
  2. You also use one of the .NET assemblies referenced in Microsoft Security Advisory CVE-2018-0786: Security Feature Bypass in X509 Certificate Validation dotnet/announcements#51

How do I update to an unaffected version?

Follow the instructions at Get PowerShell to install the latest version of PowerShell Core.

Other Information

Reporting Security Issues

If you have found a potential security issue in PowerShell Core, please email details to secure@microsoft.com.

Support

You can ask questions about this issue on GitHub in the PowerShell organization. This is located at https://github.com/PowerShell/. The Announcements repo (https://github.com/PowerShell/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.

What if the update breaks my script or module?

You can uninstall the newer version of PowerShell Core and install the previous version of PowerShell Core. This should be treated as a temporary measure. Therefore, the script or module should be updated to work with the patched version of PowerShell Core.

External Links

CVE-2018-0786
@TravisEz13 TravisEz13 added Issue-Discussion the issue may not have a clear classification yet. The issue may generate an RFC or may be reclassif Resolution-Fixed The issue is fixed. labels Jan 25, 2018
@TravisEz13 TravisEz13 mentioned this issue Jan 25, 2018
Open
@iSazonov
Copy link
Collaborator

iSazonov commented Jan 26, 2018
edited

@TravisEz13 @SteveL-MSFT What about new "Announcement" (yellow) label if team want to discuss announcements in the repo?

@SteveL-MSFT
Copy link
Member

@iSazonov good suggestion. I'll add that label.

@SteveL-MSFT SteveL-MSFT added the Issue-Announcement the issue is for discussing an Announcement label Jan 26, 2018
@SteveL-MSFT
Copy link
Member

To keep it consistent in our repo, I'm going to use Issue-Announcement with the same color as other Issue types.

@TravisEz13 TravisEz13 removed the Issue-Discussion the issue may not have a clear classification yet. The issue may generate an RFC or may be reclassif label Mar 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue-Announcement the issue is for discussing an Announcement Resolution-Fixed The issue is fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TravisEz13 @SteveL-MSFT @iSazonov