我中心技术支撑单位“深圳网安检测”近日监测到一则关于微软 PowerShell 存在远程代码执行漏洞（CVE-2022-41076）的安全公告, 经过身份认证的远程攻击者可利用此漏洞绕过沙箱限制在目标机器上执行任意代码。经分析，PowerShell 支持基于 WinRM 协议的远程命令，服务器若启用了 PSRemoting 即可进行远程访问或通信，一旦攻击者成功利用该漏洞， 在通过身份验证后即可规避 PSRemote 会话配置，并运行未经批准的命令获取目标主机控制权。目前，漏洞技术细节、POC 及 EXP 已公开。由于 PowerShell 作为 Windows 上的默认工具，也可运行在 Linux 和 macOS 系统，因此应用范围广泛，威胁影响较大。建议各行业单位运维部门及时自查服务器 PowerShell的PSRemoting 启用情况，同时尽快更新安全补丁加强防护。

PowerShell 是美国微软（Microsoft）公司开发的一种跨平台的任务自动化解决方案，由命令行shell、脚本语言和配置管理框架组成。大多数版本的 Windows 中均默认提供此工具，同时也可在 Linux 和 MacOS 上安装运行。

经过身份验证的远程攻击者可以在remote powershell会话中使用TabExpansion cmdlet，结合目录穿越载入任意dll，导致攻击者可以执行原本不能执行的cmdlet，从而在目标机器上执行任意代码。

漏洞名称：PowerShell 远程代码执行

漏洞编号：CVE-2022-41076

危害等级：高 

受影响版本

· Windows 10 Version 21H1 for ARM64-based Systems

· Windows 10 Version 21H1 for x64-based Systems

· Windows Server 2019 (Server Core installation)

· Windows Server 2019

· Windows 10 Version 1809 for ARM64-based Systems

· Windows 10 Version 1809 for x64-based Systems

· Windows 10 Version 1809 for 32-bit Systems

· Windows 10 Version 20H2 for ARM64-based Systems

· Windows 10 Version 20H2 for 32-bit Systems

· Windows 10 Version 20H2 for x64-based Systems

· Windows Server 2022 Datacenter: Azure Edition

· Windows Server 2022 (Server Core installation)

· Windows Server 2022

· Windows 10 Version 21H1 for 32-bit Systems

· Windows Server 2012 R2 (Server Core installation)

· Windows Server 2012 R2

· Windows Server 2012 (Server Core installation)

· Windows Server 2012

· Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

· Windows Server 2008 R2 for x64-based Systems Service Pack 1

· Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

· Windows 10 Version 22H2 for x64-based Systems

· Windows 11 Version 22H2 for x64-based Systems

· Windows 11 Version 22H2 for ARM64-based Systems

· Windows 10 Version 21H2 for x64-based Systems

· Windows 10 Version 21H2 for ARM64-based Systems

· Windows 10 Version 21H2 for 32-bit Systems

· Windows 11 for ARM64-based Systems

· Windows 11 for x64-based Systems

· Windows Server 2008 for x64-based Systems Service Pack 2

· Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)

· Windows Server 2008 for 32-bit Systems Service Pack 2

· Windows RT 8.1

· Windows 8.1 for x64-based systems

· Windows 8.1 for 32-bit systems

· Windows 7 for x64-based Systems Service Pack 1

· Windows 7 for 32-bit Systems Service Pack 1

· Windows Server 2016 (Server Core installation)

· Windows Server 2016

· Windows 10 Version 1607 for x64-based Systems

· Windows 10 Version 1607 for 32-bit Systems

· Windows 10 for x64-based Systems

· Windows 10 for 32-bit Systems

· Windows 10 Version 22H2 for 32-bit Systems

· Windows 10 Version 22H2 for ARM64-based Systems

· PowerShell 7.2

· PowerShell 7.3

1.目前微软官方已发布漏洞补丁，请受影响用户及时更新；

下载链接：

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41076

2.如不需使用远程访问或通信也可通过关闭 PSRemoting 和 WinRM 协议规避风险。

自查 PSRemoting 启用状态，以管理员身份运行 power shell 输入以下命令检查启用情况：

Get-PSSessionConfiguration

检查WinRM 协议启用情况：

Get-Service WinRM

注：PSRemoting 相关配置可访问下方参考链接2。

参考链接：

[1]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41076

[2]https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3