CVE-2023-49213
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on Ironman PowerShell Universal servers via crafted HTTP requests to API endpoints. Attackers can achieve remote code execution by exploiting improper input sanitization when param blocks are used. Organizations running affected versions of PowerShell Universal are at risk.
💻 Affected Systems
- Ironman PowerShell Universal
📦 What is this software?
Powershell Universal by Ironmansoftware
Powershell Universal by Ironmansoftware
Powershell Universal by Ironmansoftware
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the PowerShell Universal server, potentially leading to lateral movement within the network, data exfiltration, or deployment of ransomware.
Likely Case
Remote code execution allowing attackers to run arbitrary PowerShell commands on the server, potentially accessing sensitive data, modifying configurations, or installing malware.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to vulnerable endpoints.
🎯 Exploit Status
The vulnerability requires sending crafted HTTP requests to API endpoints. No authentication is required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.10.2, 4.1.10, or 4.2.1
Vendor Advisory: https://blog.ironmansoftware.com/powershell-universal-apis-cve/
Restart Required: Yes
Instructions:
1. Identify your current PowerShell Universal version. 2. Upgrade to version 3.10.2 if using v3.x, 4.1.10 if using v4.1.x, or 4.2.1 if using v4.2.x. 3. Restart the PowerShell Universal service.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to PowerShell Universal API endpoints using firewall rules or network segmentation.
Disable Unnecessary API Endpoints
allReview and disable any API endpoints that use param blocks and are not required for operations.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PowerShell Universal servers from untrusted networks
- Deploy web application firewall (WAF) rules to block suspicious API requests and command injection patterns
🔍 How to Verify
Check if Vulnerable:
Check PowerShell Universal version via web interface or configuration files. If version is between 3.0.0-4.2.0 (excluding patched versions), system is vulnerable.Check Version:
Check web interface dashboard or configuration file at C:\ProgramData\Universal\universal.config (Windows) or /etc/universal/universal.config (Linux)Verify Fix Applied:
Verify version is 3.10.2, 4.1.10, or 4.2.1 after upgrade. Test API endpoints that previously used param blocks to ensure proper input sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests with command-like parameters
- Failed authentication attempts to API endpoints
- Unexpected PowerShell process execution
Network Indicators:
- HTTP requests to PowerShell Universal API endpoints with suspicious parameters
- Outbound connections from PowerShell Universal server to unexpected destinations
SIEM Query:
source="powershell-universal" AND (http_method="POST" OR http_method="PUT") AND (uri="/api/*" OR uri="/universal/*") AND (param_contains="cmd" OR param_contains="powershell" OR param_contains="exec")