Bugs discovered in VSCode Extensions Could Lead to Supply Chain Attacks

May 28, 2021

Intense security flaws uncovered in well-liked Visible Studio Code extensions could permit attackers to compromise nearby equipment as effectively as establish and deployment systems by a developer’s integrated growth surroundings (IDE).

VS Code extensions, like browser add-ons, allow developers to augment Microsoft’s Visual Studio Code source-code editor with additional features like programming languages and debuggers relevant to their development workflows. VS Code is used by 14 million active users, making it a huge attack surface. The attack scenarios devised by Snyk bank on the possibility that the installed extensions could be abused as a vector for supply chain attacks by exploiting weaknesses in the plugins to break into a developer system effectively. To that effect, the researchers examined VS Code extensions that had vulnerable implementations of local web servers.

As a proof-of-concept (PoC) demonstration, the researchers showed it was possible to exploit this flaw to steal SSH keys from a developer who is running VS Code and has Instant Markdown or Open in Default Browser installed in the IDE. LaTeX Workshop, on the other hand, was found susceptible to a command injection vulnerability due to unsanitized input that could be exploited to run malicious payloads.

Lastly, an extension named Rainbow Fart was ascertained to have a zip slip vulnerability, which allows an adversary to overwrite arbitrary files on a victim’s machine and gain remote code execution. In an attack formulated by the researchers, a specially-crafted ZIP file was sent over an “import-voice-package” endpoint used by the plugin and written to a location that’s outside of the working directory of the extension.

“This attack could be used to overwrite files like ‘.bashrc’ and gain remote code execution eventually,” the researchers noted.

Recommendations:

Do not trust blindly on any third party written code pieces.
Developers should be aware of the extensions or plugins they are integrating in their IDE.
Regularly update the extensions, plugins with the latest security patches released.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Bugs discovered in VSCode Extensions Could Lead to Supply Chain Attacks

Security Team

Related Posts

Cyberattack Group ‘Awaken Likho’ Targets Russian Government with Advanced Tools

Apple Releases Critical iOS and iPadOS Updates to Fix Password and Audio Vulnerabilities

WordPress Lite Speed Cache Plugin Security Flaw Exposes Sites to XSS

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure