CVE-2022-45183 in PowerShell Universal
Summary
by MITRE • 11/14/2022
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with a valid app token to retrieve other app tokens by ID via an HTTP web request. Patched Versions are 3.5.3, 3.4.7, and 2.12.6.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/17/2022
The vulnerability identified as CVE-2022-45183 represents a critical privilege escalation flaw within the web server component of Ironman Software PowerShell Universal versions 2.x and 3.x. This security weakness enables authenticated attackers with valid application tokens to exploit a design flaw that allows them to retrieve other application tokens by their identifiers through unauthenticated HTTP web requests. The vulnerability stems from inadequate access controls and improper validation of token retrieval requests within the web server's authentication subsystem. The flaw exists in the application's token management system where the web server fails to properly verify the privileges of requesting users before exposing token information to external queries.
The technical implementation of this vulnerability falls under CWE-284 which describes improper access control mechanisms within software systems. Attackers can leverage this weakness by crafting specific HTTP requests that target the token retrieval endpoint, bypassing normal authentication checks that should prevent unauthorized access to other users' tokens. The exploitation process involves sending crafted web requests that include the target token ID in the request parameters, allowing the attacker to obtain sensitive authentication credentials that belong to other users within the system. This flaw creates a direct path for lateral movement and privilege escalation within the PowerShell Universal environment, as the retrieved tokens can be used to impersonate other legitimate users.
The operational impact of CVE-2022-45183 extends beyond simple credential theft, as it fundamentally compromises the authentication integrity of the entire PowerShell Universal platform. Once an attacker gains access to additional app tokens, they can potentially access restricted resources, execute unauthorized commands, and maintain persistent access to the system. This vulnerability particularly affects organizations that rely on PowerShell Universal for automation and remote management tasks, as the stolen tokens could enable attackers to perform administrative functions without proper authorization. The vulnerability also creates opportunities for attackers to escalate their privileges to the system level, potentially leading to complete system compromise. Organizations using versions 2.x and 3.x of PowerShell Universal face significant risk exposure, as the flaw allows attackers to expand their access beyond their initial foothold.
Mitigation strategies for this vulnerability should focus on immediate patching of affected systems to versions 3.5.3, 3.4.7, and 2.12.6 which contain the necessary security fixes. Organizations should also implement additional access controls and network segmentation to limit the exposure of the web server to untrusted networks. Security monitoring should be enhanced to detect unusual token retrieval patterns and unauthorized access attempts to the web server endpoints. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques, specifically T1078 which covers valid accounts and T1566 which covers credential harvesting through network attacks. Regular security audits and privilege reviews should be conducted to ensure that token management practices remain secure, and organizations should consider implementing additional authentication layers such as multi-factor authentication to reduce the impact of credential compromise.