Microsoft has released patches for two security vulnerabilities in PowerShell which could allow a malicious script to circumvent the protection offered by Windows Defender Application Control.
PowerShell is a cross-platform command-line shell used extensively in the administration of Windows and Azure servers. It is also popular with malicious users due to its power and flexibility – often used as an attack vector or payload delivery mechanism for Windows based malware.
In order to mitigate the abuse of PowerShell Microsoft introduced Windows Defender Application Control (WDAC) which blocks potentially malicious apps and scripts and limits some of the features of PowerShell (constrained mode) not often used in day to day administrative tasks.
CVE-2020-0951 is a bug in PowerShell that could allow a malicious script to bypass the WDAC enforcement and execute commands and invoke API that would otherwise be blocked.
CVE-2021-41355 only affects PowerShell when used on a non-Windows system, but it could result in credentials being sent in plain text when attempting to connect to an LDAP server. Given that PowerShell is a daily-driver for network admins, those credentials could well provide admin access to a malicious user who is sniffing network traffic.
PowerShell is not included in the Microsoft monthly security patches and must be updated manually on each system by re-installing the current full release from Microsoft. The next release of PowerShell (7.2) will include the option to start receiving patches via Windows Update however these will only be delivered in the optional channel requiring admins to opt-in to each patch as it is published.
