Description Preview
Overview
CVE-2020-16886 affects the PowerShellGet V2 module, which is used for installing and managing PowerShell modules. The vulnerability allows an attacker with administrator privileges to bypass Windows Defender Application Control (WDAC) policy restrictions. To exploit this vulnerability, an attacker would need to create a configuration that includes installing the PowerShellGet V2 module from the PowerShell Gallery onto a machine with WDAC configured to allow the module to run. Once this is done, PowerShell script can be injected and executed with full trust, enabling arbitrary code execution on the affected system. This vulnerability specifically relates to how the module processes URLs, which could be manipulated to bypass security controls.
Remediation
To address this vulnerability, Microsoft has released a security update that changes how URLs are processed in the PowerShellGet V2 module. Users should:
- Apply the latest Microsoft security updates through Windows Update
- Ensure PowerShellGet module is updated to the latest version
- Review WDAC policies to ensure they are properly configured
- Monitor for suspicious PowerShell activity, especially in environments where PowerShellGet is used
- Consider implementing additional security controls such as PowerShell logging and constrained language mode where appropriate
References
- Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16886
- Microsoft Security Response Center: https://msrc.microsoft.com/
- PowerShellGet documentation: https://docs.microsoft.com/en-us/powershell/module/powershellget/
- Windows Defender Application Control documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing
- Health Care & Social AssistanceHealth Care & Social Assistance
- Educational ServicesEducational Services
- Public AdministrationPublic Administration
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- Finance and InsuranceFinance and Insurance
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- ConstructionConstruction
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Wholesale TradeWholesale Trade
