Microsoft urges Admin to patch PowerShell vulnerability on Windows

By bypassing WDAC, hackers can access user credentials in unencrypted text.

WDAC is designed to protect Windows devices from potentially malicious code by ensuring that only trusted applications and drivers can run. As a result, it prevents malicious software from launching on Windows.

When software-based WDAC security is enabled on Windows, PowerShell automatically goes into restricted language mode and restricts access to only allowing access to a certain set of Windows APIs.

By exploiting the WDAC bypass with vulnerability CVE-2020-0951, hackers can circumvent this system's limited list. From there, they can execute PowerShell commands without being blocked.

"To exploit the vulnerability, an attacker needs Admin access on the local computer where PowerShell is running. The hacker can then connect to a PowerShell session and send commands to execute arbitrary code," Microsoft shared.

The second vulnerability, assigned code CVE-2021-41355, is a disclosure vulnerability in .NET Core. It makes it possible for users' credentials to be leaked as plain text on devices running non-Windows platforms.

How to check if you are affected

The vulnerability CVE-2020-0951 affects both PowerShell 7 and PowerShell 7.1, while CVE-2021-41355 affects only PowerShell 7.1.

To check which version of PowerShell you are using you can execute the command pwsh -v from Command Prompt.

Microsoft shared that there are currently no mitigations that can prevent the exploitation of these vulnerabilities. Therefore, the software giant urges Admins to soon update PowerShell 7.0.8 and 7.1.5 for PowerShell 7 and PowerShell 7.1 respectively to protect the system from potential attacks.

Samuel Daniel

Update 20 October 2021