We would like to notify our users of a security vulnerability that was discovered. This vulnerability affects versions of PowerShell Universal prior to 1.2.5. We recommend that you upgrade to the latest version to ensure the vulnerability is patched. Users that are currently running Universal will be prompted within the software to update.
A non-privileged user could modify the operator and administrator policy scripts to grant themselves a higher level of privilege.
On the afternoon of June 25th, 2020 we were notified by one of our users that the application was not behaving as expected. That evening, we verified, remediated and tested a fix for the issue. The morning of June 26th, 2020, we released version 1.2.5 to address the issue and notify our users.
By design, a non-privileged user cannot not modify anything within the Universal Admin Console nor REST API without the proper role assigned. In versions prior to 1.2.5, non-privileged users could modify role policy scripts. Role policy scripts are used to determine the role that is assigned to a user as they login to Universal. The endpoint that is used to update this resource was not properly protected in versions prior to 1.2.5. This meant that any authenticated user could modify the role policy script. Unauthenticated users would not have access to do so. The authenticated user could modify the script in a way to grant themselves a higher level of privilege. Upon their next login, they would then be granted this higher level of privilege and thus be able to manipulate any resource within the Universal system.
The endpoint that is used to modify role policy settings is now properly protected by the role-based access controls provided by ASP.NET Core and the Universal platform.