Microsoft has released a security advisory for PowerShell version 7.0 and PowerShell version 7.2. The affected versions of PowerShell are prone to information disclosure vulnerability. We look at the key aspects of the security vulnerability and the fix offered by Microsoft to mitigate the threat. The security note has been released on 9th August 2022.
Spoofing Vulnerability affecting PowerShell
The security vulnerability that affects PowerShell 7.0 (and prior versions) and PowerShell 7.2 (and prior versions) is of the type of ‘information disclosure vulnerability’. An attacker could use the security flaw in the affected PowerShell versions to access proprietary or privileged information of the business.
The vulnerability is tracked under CVE-2022-34716. The details of CVE-2022-34716 are listed below:
- CVE-2022-34716 has a CVSS rating of 5.9.
- The impact of the vulnerability or severity of the vulnerability is ‘medium’.
- The attack complexity of CVE-2022-34712 is complex. The attacker would need to launch a blind XXE attack to target the vulnerability.
- The vulnerability is less likely to be exploited. There are no recorded exploitation instances as of now.
- The vulnerability has not been publicly disclosed as in the actual details of accessing or targeting the vulnerability.
- The underlying cause of the vulnerability is .NET spoofing.
How to mitigate CVE-2022-34716 on PowerShell versions?
CVE-2022-34716 affects PowerShell 7.0 and PowerShell 7.2 versions and other preceding versions of PowerShell. Microsoft has released updated versions of PowerShell to mitigate the CVE-2022-34716 vulnerability.
- CVE-2022-34716 is resolved for PowerShell version 7.0 and prior versions in PowerShell version 7.0.12. You can download PowerShell version 7.0.12 from the GitHub page of Microsoft and install it on the Windows, Linux or macOS systems.
- CVE-2022-34716 is resolved for PowerShell version 7.2 and prior versions in PowerShell version 7.2.6. You can download PowerShell version 7.2.6 from the GitHub page of Microsoft. You can download the package that corresponds to Windows, macOS or Linux installations.
Installing PowerShell on Windows is a straight forward task. We suggest using the MSI installer to install the latest stable release version of PowerShell. It would be PowerShell version 7.0.12 or PowerShell version 7.2.6. For more details on how you can install PowerShell, please follow the instructions on this page. It may be pertinent to mention over here that PowerShell 7.2.6 supersedes the PowerShell 7.2.5 version.
A new ‘Preview’ release of PowerShell is also available in PowerShell 7.3 version. For your applications and network, we suggest that you should stick to using the latest stable release version of PowerShell. For the LTS 7.2 series, please deploy PowerShell 7.2.6. For the older versions and PowerShell 7.0, please deploy PowerShell 7.0.12.
How do I find my PowerShell version?
You can find the current version of PowerShell on the system through the version command.
- Launch the PowerShell command prompt.
- Type the command pwsh -v to find the version of PowerShell install on your computer.
Application compatibility with PowerShell upgrades
One of the chief worries for application developers is the impact of upgrading PowerShell on the applications that are deployed in live environments. Will an update of PowerShell cause incompatibility with the already deployed applications? Will the PowerShell update lead to application crash? These are natural and logical questions for application development team and the IT teams of your organization.
Sadly, there is not an easy way to find this. So, we suggest the following approach that can be adopted as part of a change management window:
- Upgrade the PowerShell environment to the latest version 7.2.6 or 7.0.12. Remember, if you are on the PowerShell 7.2 series, you need to push for PowerShell 7.2.6. If you are on PowerShell 7.0 or older version, you require PowerShell version 7.0.12.
- Once you have deployed the latest PowerShell stable release versions, please validate your application’s compatibility, functioning and deliverability of intended goals.
- If your application is compatible with PowerShell 7.2.6 or PowerShell 7.0.12 (as the case may be), no further action is needed on your side.
- However, there is a different course of action if it turns out that the latest PowerShell stable release version is incompatible with your application. In such cases, you will need to rollback the PowerShell version to the earlier version that was deployed in your environment.
- Once the PowerShell environment has been downgraded to the previous version of PowerShell, you can validate the application’s working. If all works fine, you will need to work towards making your application compatible with PowerShell 7.2.6 or PowerShell 7.0.12.
- Upon modifying the application for PowerShell compatibility, you can update PowerShell to the latest stable release version 7.2.6 or 7.0.12.
Unfortunately, there is no simpler way to get your application to work with the latest PowerShell versions. So, you would have to make alterations in the application code to get the application to work with the newest PowerShell versions.
Can PowerShell be updated automatically through Microsoft Updates?
Yes, PowerShell can be automatically updated to the latest version through Microsoft Update program. You need to be aware of the following conditions for PowerShell update to happen through Microsoft Update:
- Windows 10 version 1709 or Windows versions later than this version can automatically update PowerShell through Windows Update.
- On a similar basis, Windows Server 2016 October update and later versions are eligible to receive PowerShell updates automatically as part of Windows Update or WSUS.
There is another important fact to note before you decide to update PowerShell automatically through the Windows Update program.
PowerShell updates get pushed out to Microsoft Updates after a few weeks from the date of release of the security advisory. PowerShell 7.2.6 and PowerShell 7.0.12 were released on 9th August, 2022. So, you can expect to receive PowerShell updates (on the eligible systems) in Microsoft Update in a couple of weeks from the date of release of the security release. If you do not wish to wait until then, please proceed with manual installation of the latest versions of PowerShell.
PowerShell can be automatically updated as part of Microsoft Update program through one of the following methods:
- Windows Update for Business
- WSUS or Windows Server Update Service
- Microsoft Endpoint Configuration Manager
Summary
CVE-2022-34716 vulnerability affects PowerShell 7.0 and PowerShell 7.2 versions. To mitigate the threat, install the latest version of PowerShell 7.2.6 or PowerShell 7.0.12. The latest version of PowerShell can be deployed manually through the GitHub page. Or, alternatively, you could wait for the latest PowerShell update to be sent as part of Microsoft Update program.
Other Microsoft Updates for August 2022:
- KB5016616 Cumulative Update for Windows Server 20H2 Server Core Installation
- KB5016627 Cumulative Update for Windows Server 2022
- KB5016684 Security Update for Windows Server 2012 – August 9 2022
- KB5016681 Monthly Rollup Update for Windows Server 2012 R2
- KB5016623 Cumulative Update for Windows Server 2019 – 9th August 2022
- KB5016622 Cumulative Update for Windows Server 2016 – August 9, 2022
- KB5016683 Security Update for Windows Server 2012 R2
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.