Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Discussion: Microsoft Security Advisory CVE-2018-8256: Microsoft PowerShell Remote Code Execution Vulnerability #8251

Closed
TravisEz13 opened this issue Nov 13, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@TravisEz13
Copy link
Member

commented Nov 13, 2018

Microsoft Security Advisory CVE-2018-8256: Microsoft PowerShell Remote Code Execution Vulnerability

Executive Summary

A remote code execution vulnerability exists when PowerShell improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system.

To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system.

The security update fixes the vulnerability by ensuring PowerShell properly handles files.

System administrators are advised to update PowerShell Core to version 6.0.5 or 6.1.1.

Affected Software

The vulnerability affects PowerShell Core prior to the following versions:

PowerShell Core Version Fixed in
6.0 6.0.5
6.1 6.1.1
6.2 #8252

The vulnerability also affects Microsoft.PowerShell.Archive if it was installed from the PowerShell Gallery. The issue was fixed in version 1.2.2.

Advisory FAQ

How do I know if I am affected?

PowerShell Core

If all of the following are true:

  1. Run pwsh -v, then, check the version in the table in Affected Software to see if your version of PowerShell Core is affected.
  2. If you are running a version of PowerShell Core where the executable is not pwsh or pwsh.exe, then you are affected. This only existed for preview version of 6.0.

Microsoft.PowerShell.Archive installed from the PowerShell Gallery

  1. Run Get-InstalledModule -name Microsoft.PowerShell.Archive from PowerShell. If the module version is less than 1.2.2.0, then you are affected.

How do I update to an unaffected version?

PowerShell Core

Follow the instructions at Installing PowerShell Core to install the latest version of PowerShell Core.

Microsoft.PowerShell.Archive installed from the PowerShell Gallery

Run Update-Module Microsoft.PowerShell.Archive

Other Information

Commit IDs

3f85c94b
da5d8e70

Reporting Security Issues

If you have found a potential security issue in PowerShell Core,
please email details to secure@microsoft.com.

Support

You can ask questions about this issue on GitHub in the PowerShell organization.
This is located at https://github.com/PowerShell/.
The Announcements repo (https://github.com/PowerShell/Announcements)
will contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.

What if the update breaks my script or module?

You can uninstall the newer version of PowerShell Core and install the previous version of PowerShell Core.
This should be treated as a temporary measure.
Therefore, the script or module should be updated to work with the patched version of PowerShell Core.

Acknowledgments

Snyk Security Research Team

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.

See acknowledgments for more information.

External Links

CVE-2018-8256

Revisions

V1.0 (November 13, 2018): Advisory published.
V1.1 (November 14, 2018): Fix typo in how to tell if `Microsoft.PowerShell.Archive' in affected when installed from the PowerShell Gallery.

Version 1.1
Last Updated 2018-11-14

@KurtDeGreeff

This comment has been minimized.

Copy link

commented Feb 26, 2019

Hi, our internal Tripwire is showing Microsoft.PowerShell.Archive module which has not been installed from PSGallery is also affected... When checked it shows indeed an older version. How can I in that case easily update the module without modifying permissions/ownership under C:\Windows\System32\WindowsPowerShell\v1.0 ?

@TravisEz13

This comment has been minimized.

Copy link
Member Author

commented Feb 26, 2019

@KurtDeGreeff Based on the path C:\Windows\System32\WindowsPowerShell\v1.0 I assume you are using Windows PowerShell. The issue you mention should be fixed by a windows patch in the same CVE. For Windows PowerShell support, I suggest contacting Windows support.
This repo is for tracking PowerShell Core issues.

cc @anmenaga @SteveL-MSFT

@anmenaga

This comment has been minimized.

Copy link
Contributor

commented Feb 26, 2019

@KurtDeGreeff just an idea... if you want to use a patched version of the Microsoft.PowerShell.Archive module and don't care if an old (bugged) version sits on the system (or if you have permissions to delete it - just do it)...
just install the patched module from the PS Gallery:
Install-Module -Name Microsoft.PowerShell.Archive
It will be installed to <Program Files>\WindowsPowerShell\Modules

Now when you load the module by name Import-Module Microsoft.PowerShell.Archive it will load and use fixed version (with higher module version number) even though you might have the old/bugged one sitting on the system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.