Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid listening on all interfaces when debugging a remote extension host #142541

Closed
connor4312 opened this issue Feb 8, 2022 · 0 comments
Closed

Avoid listening on all interfaces when debugging a remote extension host #142541

connor4312 opened this issue Feb 8, 2022 · 0 comments
Assignees
@connor4312
Labels
debug Debug viewlet, configurations, breakpoints, adapter issues security
Milestone
January 2022 Reco...

Comments

@connor4312
Copy link
Member

connor4312 commented Feb 8, 2022
edited by alexdima

VS Code - Remote Code Execution Vulnerability

A remote code execution vulnerability exists in VS Code 1.64.0 and earlier versions when debugging VS Code extensions remotely, for example using the Visual Studio Code Remote - SSH extension to connect to a machine and then develop a VS Code extension on that machine. When debugging VS Code extensions remotely, the remote extension host process would be launched in a way in which it would listen for debugger connections on all network interfaces.

Patches

The fix is available starting with VS Code 1.64.1. The fix (91f7694) mitigates this attack by launching the remote extension host in a way in which it listens for debugger connections only on the loopback interface when debugging VS Code extensions remotely.

Workarounds

There are no known workarounds for debugging VS Code extensions remotely. An alternative would be to develop and debug VS Code extensions locally.

References
@connor4312 connor4312 added bug Issue identified by VS Code Team member as probable bug important Issue identified as high-priority labels Feb 8, 2022
@connor4312 connor4312 added this to the January 2022 Recovery 1 milestone Feb 8, 2022
@connor4312 connor4312 self-assigned this Feb 8, 2022
@connor4312 connor4312 reopened this Feb 25, 2022
@connor4312 connor4312 added the verified Verification succeeded label Feb 25, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2022
@alexdima alexdima added security debug Debug viewlet, configurations, breakpoints, adapter issues and removed bug Issue identified by VS Code Team member as probable bug verified Verification succeeded important Issue identified as high-priority labels May 25, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@connor4312 connor4312

Labels
debug Debug viewlet, configurations, breakpoints, adapter issues security
Projects
None yet
Milestone
January 2022 Recovery 1
Development

No branches or pull requests
3 participants
@connor4312 @alexdima and others