The Dataprise Blog

Microsoft PowerShell 7 Remote Code Execution Vulnerability: Dataprise Defense Digest

Jul 17, 2021 BY DATAPRISE

Microsoft PowerShell 7 Remote Code Execution Vulnerability: Dataprise Defense Digest

EXECUTIVE SUMMARY

On July 2nd, Microsoft issued a warning about a critical .NET Core remote code execution vulnerability in PowerShell version 7. This is caused by the way text encoding is performed in .NET 5 and .NET Core. PowerShell is a scripting tool in all major versions of Windows, and also works with Linux and MacOS. Microsoft urges for everyone to update to the latest version of Powershell as soon as possible.


DETAILED ANALYSIS

In this vulnerability, the package that can be exploited is “System.Text.Encodings.Web”. All vulnerable versions of .Net include, 4.0, 4.5,4.6,4.7,5.0. Secure versions are, 4.5.1, 4.7.2, and 5.0.1. PowerShell versions 7.0.6 and 7.1.3 need to be updated to the latest versions. However, even though Visual Studio has .Net binaries, it is not affected by this issue. For a user to know if they are affected, they would need to check their version by running “dotnet –info”:


Powershell 7 Sample


INDICATORS OF COMPROMISE

There are no current indicators of compromise, but this vulnerability can be taken advantage of by malware to run malicious scripts via PowerShell.


MITIGATION STEPS

  • Check versions of PowerShell and .NET SDK
  • Update .NET SDK packages to secure versions indicated on Microsoft’s Github.
  • Update PowerShell core to the latest version

SOURCES

CONTRIBUTING AUTHORS

  • Stephen Jones, Senior Director Cybersecurity
  • Susan Verdin, Cybersecurity Analyst
Information Security
Want the latest IT insights? SUBSCRIBE