Bugs discovered in VSCode Extensions Could Lead to Supply Chain Attacks
Intense security flaws uncovered in well-liked Visible Studio Code extensions could permit attackers to compromise nearby equipment as effectively as establish and deployment systems by a developer’s integrated growth surroundings (IDE).
VS Code extensions, like browser add-ons, allow developers to augment Microsoft’s Visual Studio Code source-code editor with additional features like programming languages and debuggers relevant to their development workflows. VS Code is used by 14 million active users, making it a huge attack surface. The attack scenarios devised by Snyk bank on the possibility that the installed extensions could be abused as a vector for supply chain attacks by exploiting weaknesses in the plugins to break into a developer system effectively. To that effect, the researchers examined VS Code extensions that had vulnerable implementations of local web servers.
As a proof-of-concept (PoC) demonstration, the researchers showed it was possible to exploit this flaw to steal SSH keys from a developer who is running VS Code and has Instant Markdown or Open in Default Browser installed in the IDE. LaTeX Workshop, on the other hand, was found susceptible to a command injection vulnerability due to unsanitized input that could be exploited to run malicious payloads.
Lastly, an extension named Rainbow Fart was ascertained to have a zip slip vulnerability, which allows an adversary to overwrite arbitrary files on a victim’s machine and gain remote code execution. In an attack formulated by the researchers, a specially-crafted ZIP file was sent over an “import-voice-package” endpoint used by the plugin and written to a location that’s outside of the working directory of the extension.
“This attack could be used to overwrite files like ‘.bashrc’ and gain remote code execution eventually,” the researchers noted.
Recommendations:
- Do not trust blindly on any third party written code pieces.
- Developers should be aware of the extensions or plugins they are integrating in their IDE.
- Regularly update the extensions, plugins with the latest security patches released.
Related Posts
