CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability.
Microsoft is aware of the remote code execution vulnerability, and has released an extension for its official code editor, Visual Studio Code, that plugs the hole. The remote code execution vulnerability can be exploited by sending a specially crafted file to a developer’s team via email, or simply visiting a malicious webpage. Once the developer has access to the remote file system, they can execute any code they’d like. End users should avoid sending remote code execution exploits via email, unless they have a legitimate reason to. Reputable developers and organizations should consider using an internal code review tool, such as TFS, to avoid exposing their customers to malicious code.
As this vulnerability is prevalent, especially in remote development scenarios like pair programming, it’s important to watch out for suspicious activities. End users should be on the lookout for any unusual file transfers in the developer’s team’s code review system, or via email.
How to prevent code execution in Visual Studio Code
There are a few ways to prevent code execution in Visual Studio Code. One way is to disable the extension, which will remove access to any malicious code loaded by the extension. This can be done through the extensions panel in visual studio code’s settings. You can also set up your team’s configuration file with an absolute path that prevents any access to the remote files, such as one blocking all remote file system access on all computers within your team or organization.
Though these methods are effective, there is no 100% guarantee of preventing code execution because they rely on developer knowledge and assume they are not executing malicious code themselves. For example, when developers create a package or install a new dependency within their project, they must click ‘yes’ when prompted for whether or not they want to load it from a remote location. Some developers might be unaware of this prompt and therefore still suffer from this vulnerability.
Attack scenario
An attacker sends a malicious file to the developer through email. The developer opens the file and executes it.
How to protect a team from remote code execution vulnerability
To protect from this vulnerability, end users should avoid sending remote code execution exploits via email. If an email does contain an exploit, the developer should immediately report it to their team or a third party for additional review. They may also want to employ an internal code review tool like Visual Studio Code’s Team Foundation Server (TFS) extension, which prevents malicious files from being sent via email. These tools are especially helpful for remote development scenarios like pair programming and can be easily enabled in the team settings for that specific project.
Microsoft released an extension for Visual Studio Code to fix the vulnerability
The remote code execution vulnerability was found on May 10th, 2019, and Microsoft has since released an extension for its official code editor, Visual Studio Code. The extension will prevent the vulnerability by preventing malicious files from being sent to the developer’s team.
Timeline
Published on: 02/09/2022 17:15:00 UTC
Last modified on: 02/24/2022 17:46:00 UTC