On July 2nd, Microsoft issued a warning about a critical .NET Core remote code execution vulnerability in PowerShell version 7. This is caused by the way text encoding is performed in .NET 5 and .NET Core. PowerShell is a scripting tool in all major versions of Windows, and also works with Linux and MacOS. Microsoft urges for everyone to update to the latest version of Powershell as soon as possible.
In this vulnerability, the package that can be exploited is “System.Text.Encodings.Web”. All vulnerable versions of .Net include, 4.0, 4.5,4.6,4.7,5.0. Secure versions are, 4.5.1, 4.7.2, and 5.0.1. PowerShell versions 7.0.6 and 7.1.3 need to be updated to the latest versions. However, even though Visual Studio has .Net binaries, it is not affected by this issue. For a user to know if they are affected, they would need to check their version by running “dotnet –info”:
INDICATORS OF COMPROMISE
There are no current indicators of compromise, but this vulnerability can be taken advantage of by malware to run malicious scripts via PowerShell.
- Check versions of PowerShell and .NET SDK
- Update .NET SDK packages to secure versions indicated on Microsoft’s Github.
- Update PowerShell core to the latest version
- Stephen Jones, Senior Director Cybersecurity
- Susan Verdin, Cybersecurity Analyst