Unable to fully resolve CVE-2018-8256 on Windows Server 2016 (microsoft.powershell.archive)

%3CLINGO-SUB%20id%3D%22lingo-sub-1326986%22%20slang%3D%22en-US%22%3EUnable%20to%20fully%20resolve%20CVE-2018-8256%20on%20Windows%20Server%202016%20(microsoft.powershell.archive)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1326986%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%3EInstalled%20Powershell%20core%207.0%2C%20but%20vulnerability%20scanner%20keeps%20detecting%20the%20file%20version%20of%20microsoft.powershell.archive.psd1%20as%20vulnerable.%20Can%20this%20file%20else%20folder%20(microsoft.powershell.archive)%20be%20deleted%3F%20I%20tried%20to%20update%20the%20module%2C%20but%20Poweshell%20returned%20that%20I%20can%20only%20install%20the%20newer%20version%20and%20run%20side%20by%20side%20with%20the%20old%20version.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EAny%20suggestions%3F%20Out%20of%20ideas%20besides%20manually%20taking%20ownership%20and%20deleting%20the%20file%2Ffolders.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EReferences%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FPowerShell%2FPowerShell%2Fissues%2F8251%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FPowerShell%2FPowerShell%2Fissues%2F8251%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EBelow%20is%20the%20scanner's%20rule%20and%20results%2C%20i.e.%20%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3E%3CBR%20%2F%3ERule%3A%3CBR%20%2F%3EEXECUTE%20%7B%20import%20re%20from%20version%20import%20Version%20as%20V%2C%20VersionException%20as%20VE%20try%3A%20sysRoot%20%3D%20env.getHostVariable(%20'windows_system_root_directory'%20)%20except%20KeyError%3A%20rule.STOP(%20False%20)%20file%20%3D%20r'system32%5Cwindowspowershell%5Cv1.0%5Cmodules%5Cmicrosoft.powershell.archive%5Cmicrosoft.powershell.archive.psd1'%20path%20%3D%20r'%25s%5C%25s'%20%25%20(sysRoot%2Cfile)%20rule.CIFSGetFile(path.lower().replace('%3A'%2C%20'%24%3A'))%20if%20rule.success%3A%20ver%20%3D%20re.search('ModuleVersion%3D%22(%5B%5Cd%2B.%5D%2B)%22'%2C%20rule.buffer)%20if%20ver%3A%20try%3A%20if%20V(ver.group(1))%20%26lt%3B%20V('1.2.2')%3A%20rule.STOP(True)%20except%20VE%3A%20rule.STOP(False)%20rule.STOP(False)%20%7D%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EInfo%3A%3CBR%20%2F%3EPath%3A%20c%24%3A%5Cwindows%5Csystem32%5Cwindowspowershell%5Cv1.0%5Cmodules%5Cmicrosoft.powershell.archive%5Cmicrosoft.powershell.archive.psd1%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EData%3A%20%40%7B%5Cx0d%5Cx0aGUID%3D%22eb74e8da-9ae2-482a-a648-e96550fb8733%22%5Cx0d%5Cx0aAuthor%3D%22Microsoft%20Corporation%22%5Cx0d%5Cx0aCompanyName%3D%22Microsoft%20Corporation%22%5Cx0d%5Cx0aCopyright%3D%22%5Cxa9%20Microsoft%20Corporation.%20All%20rights%20reserved.%22%5Cx0d%5Cx0aModuleVersion%3D%221.0.1.0%22%5Cx0d%5Cx0aFunctionsToExport%20%3D%20%40('Compress-Archive'%2C%20'Expand-Archive')%5Cx0d%5Cx0aDotNetFrameworkVersion%20%3D%204.5%5Cx0d%5Cx0aCmdletsToExport%20%3D%20%40()%5Cx0d%5Cx0aAliasesToExport%20%3D%20%40()%5Cx0d%5Cx0aNestedModules%3D%22Microsoft.PowerShell.Archive.psm1%22%5Cx0d%5Cx0aHelpInfoURI%20%3D%20'%3CA%20href%3D%22http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D393254'%5Cx0d%5Cx0a%7D%5Cx0d%5Cx0a%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D393254'%5Cx0d%5Cx0a%7D%5Cx0d%5Cx0a%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1326986%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

Installed Powershell core 7.0, but vulnerability scanner keeps detecting the file version of microsoft.powershell.archive.psd1 as vulnerable. Can this file else folder (microsoft.powershell.archive) be deleted? I tried to update the module, but Poweshell returned that I can only install the newer version and run side by side with the old version.
 
Any suggestions? Out of ideas besides manually taking ownership and deleting the file/folders.
 
References:
https://github.com/PowerShell/PowerShell/issues/8251
 

Below is the scanner's rule and results, i.e.


Rule:
EXECUTE { import re from version import Version as V, VersionException as VE try: sysRoot = env.getHostVariable( 'windows_system_root_directory' ) except KeyError: rule.STOP( False ) file = r'system32\windowspowershell\v1.0\modules\microsoft.powershell.archive\microsoft.powershell.archive.psd1' path = r'%s\%s' % (sysRoot,file) rule.CIFSGetFile(path.lower().replace(':', '$:')) if rule.success: ver = re.search('ModuleVersion="([\d+.]+)"', rule.buffer) if ver: try: if V(ver.group(1)) < V('1.2.2'): rule.STOP(True) except VE: rule.STOP(False) rule.STOP(False) }

 

Info:
Path: c$:\windows\system32\windowspowershell\v1.0\modules\microsoft.powershell.archive\microsoft.powershell.archive.psd1

Data: @{\x0d\x0aGUID="eb74e8da-9ae2-482a-a648-e96550fb8733"\x0d\x0aAuthor="Microsoft Corporation"\x0d\x0aCompanyName="Microsoft Corporation"\x0d\x0aCopyright="\xa9 Microsoft Corporation. All rights reserved."\x0d\x0aModuleVersion="1.0.1.0"\x0d\x0aFunctionsToExport = @('Compress-Archive', 'Expand-Archive')\x0d\x0aDotNetFrameworkVersion = 4.5\x0d\x0aCmdletsToExport = @()\x0d\x0aAliasesToExport = @()\x0d\x0aNestedModules="Microsoft.PowerShell.Archive.psm1"\x0d\x0aHelpInfoURI = 'http://go.microsoft.com/fwlink/?LinkId=393254'\x0d\x0a}\x0d\x0a
 

0 Replies