Script for CVE-2021-42306 appears to be Windows only

[bowlerma]

The script (https://github.com/microsoft/aad-app-credential-tools/blob/main/azure-automation/CVE-2021-42306-AutomationAssessAndMitigate.ps1) used to determine if Automation accounts are vulnerable to CVE-2021-42306 and mitigate the issue appears to be Windows only.

Running it with PowerShell 7.2 and PowerShell Core gives the error below.

./CVE-2021-42306-AutomationAssessAndMitigate.ps1: The script 'CVE-2021-42306-AutomationAssessAndMitigate.ps1' cannot be run because it contained a "#requires" statement for PowerShell editions 'Desktop'. The edition of PowerShell that is required by the script does not match the currently running PowerShell Core edition.

Please can a cross-platform version of the script be provided.

[sopelt]

It would also be nice to clarify why "run as administrator" is required.

[vikramden]

Ack the request, we didn't want to impose the PS7 as the requirement to mitigate as most of the customers are on PS5. We will provide the PS7 version on Monday to support across OS flavors.

[brettmillerb]

It appears the only thing that is not possible x-plat is the two lines here:

https://github.com/microsoft/aad-app-credential-tools/blob/main/azure-automation/CVE-2021-42306-AutomationAssessAndMitigate.ps1#L469-L470

• Export-PfxCertificate is part of the PKI module which is only available on Windows
• [System.Web.Security.Membership]::GeneratePassword() is also Windows only

Password creation is simple enough to replace with another function e.g https://gist.github.com/indented-automation/2093bd088d59b362ec2a5b81a14ba84e#file-new-password-ps1

Would generating a certificate in a key vault be a sensible option but then there's a requirement to have a pre-existing key vault or create one to utilise.

Might be worth adding that if you comment out the two #Requires statements you can check the resources but not remediate them 🎉

#Requires -PSEdition Desktop
#Requires -RunAsAdministrator