Microsoft urges PowerShell users to upgrade to protect against critical vulnerability
Microsoft has issued a warning to users of PowerShell 7.0 and 7.1 to update their software to protect against a .NET Core remote code execution vulnerability.
Tracked as CVE-2021-26701, the vulnerability is described as critical and could affect Windows, macOS and Linux. The security issue has been known about for a little while, but Microsoft is only now urging users to install updates to ensure that they are protected.
See also:
- Windows 11 could spell the end of the Blue Screen of Death
- Windows 11 is making important changes to the way system updates work
- Security researchers accidentally leak PrintNightmare remote execution vulnerability in Windows print spooler
Microsoft says that it "is releasing this security advisory to provide information about a vulnerability in .NET 5.0, and .NET Core 3.1 which were released with PowerShell 7.0 and 7.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability".
It adds:
A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed.
In a post on the Microsoft Azure website, the company says:
If you manage your Azure resources from PowerShell version 7.0 or 7.1, we've released new versions of PowerShell to address a .NET Core remote code execution vulnerability in versions 7.0 and 7.1.
We recommend that you install the updated versions as soon as possible.Windows PowerShell 5.1 isn't affected by this issue.
As there is no way to mitigate against the vulnerability, users are being encourages to install the latest update for their version of the software. Anyone running PowerShell 7.0 needs to update to version 7.0.6, while anyone using PowerShell 7.1 need to install version 7.1.3.
Anyone with queries about the vulnerability is encourage to post question on GitHub.