Microsoft Security Advisory CVE-2018-8256: Microsoft PowerShell Remote Code Execution Vulnerability

Executive Summary

A remote code execution vulnerability exists when PowerShell improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system.

To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system.

The security update fixes the vulnerability by ensuring PowerShell properly handles files.

System administrators are advised to update PowerShell Core to version 6.0.5 or 6.1.1.

Affected Software

The vulnerability affects PowerShell Core prior to the following versions:

The vulnerability also affects Microsoft.PowerShell.Archive if it was installed from the PowerShell Gallery. The issue was fixed in version 1.2.2.

Advisory FAQ

How do I know if I am affected?

PowerShell Core

If all of the following are true:

1. Run pwsh -v, then, check the version in the table in Affected Software to see if your version of PowerShell Core is affected.
2. If you are running a version of PowerShell Core where the executable is not pwsh or pwsh.exe, then you are affected. This only existed for preview version of 6.0.

Microsoft.PowerShell.Archive installed from the PowerShell Gallery

1. Run Get-InstalledModule -name Microsoft.PowerShell.Archive from PowerShell. If the module version is less than 1.2.2.0, then you are affected.

How do I update to an unaffected version?

PowerShell Core

Follow the instructions at Installing PowerShell Core to install the latest version of PowerShell Core.

Microsoft.PowerShell.Archive installed from the PowerShell Gallery

Run Update-Module Microsoft.PowerShell.Archive

Other Information

Commit IDs

3f85c94b
da5d8e70

Reporting Security Issues

If you have found a potential security issue in PowerShell Core,
please email details to secure@microsoft.com.

Support

You can ask questions about this issue on GitHub in the PowerShell organization.
This is located at https://github.com/PowerShell/.
The Announcements repo (https://github.com/PowerShell/Announcements)
will contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.

What if the update breaks my script or module?

You can uninstall the newer version of PowerShell Core and install the previous version of PowerShell Core.
This should be treated as a temporary measure.
Therefore, the script or module should be updated to work with the patched version of PowerShell Core.

Acknowledgments

Snyk Security Research Team

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.

See acknowledgments for more information.

External Links

CVE-2018-8256

Revisions

V1.0 (November 13, 2018): Advisory published.
V1.1 (November 14, 2018): Fix typo in how to tell if `Microsoft.PowerShell.Archive' in affected when installed from the PowerShell Gallery.

Version 1.1
Last Updated 2018-11-14