Technical Details Released for Visual Studio Code RCE (CVE-2023-36742) Vulnerability
In recent security news, two researchers, Thomas Chauchefoin and Paul Gerste from SonarSource, have disclosed technical details for a critical Visual Studio Code remote code execution vulnerability and shared a public proof-of-concept (PoC) exploit. This vulnerability, tracked as CVE-2023-36742 with a CVSS score of 7.8, affects Visual Studio Code versions 1.82.0 and earlier.
The vulnerability stems from the ability to execute arbitrary commands locally by utilizing a maliciously crafted package.json file. This scenario requires the attacker to persuade the VS Code user to open the malicious project and interact with malformed entries in the dependencies section of the package.json file.
VS Code relies on the locally installed npm command to retrieve information about package dependencies. However, the flaw allows package dependencies to be named in a way that triggers the npm tool to execute a script instead of the intended behavior.
The fix for this vulnerability is available starting with VS Code version 1.82.1. The fix addresses the issue by disabling npm usage in untrusted workspaces and implementing additional input validation when calling the npm command. Additionally, users should refrain from interacting with dependencies sections in package.json files originating from untrusted sources.
In their technical writeup, the researchers highlight the intriguing use of NPM’s global configuration option, –globalconfig, to exploit the vulnerability. This manipulation leads to an arbitrary configuration being loaded from a local file named description, which is also part of the malicious project.
While the researchers acknowledge that the exploit may not be applicable in more recent versions of NPM and other platforms, it underscores the potential for remote code execution attacks in untrusted workspaces. Users are strongly advised to update to the latest version of VS Code (1.82.1 or later) and exercise caution when opening projects from untrusted sources.
The researchers have shared a video demonstrating how to exploit the CVE-2023-36742 vulnerability in Visual Studio Code. This video serves as a valuable resource for security professionals and developers alike, enabling them to better understand the attack vector and implement appropriate mitigation strategies.