An elevation of privilege vulnerability exists in VS Code v1.71.0 and earlier versions where on a shared Windows machine, a low-privileged user can create a bash.exe
executable in a location where terminal profiles are detected. This detected profile is then exposed in the terminal profiles list and can be run easily by a higher-privileged user on the same machine. The paths in question were:
C:\Cygwin64\bin\bash.exe
C:\Cygwin\bin\bash.exe
C:\ProgramData\scoop\apps\git-with-openssh\current\bin\bash.exe
Patches
The fix is available starting with VS Code 1.71.1. The fix (0b356bf) mitigates this attack by removing those paths completely from the terminal profile detection feature.
Workarounds
Avoid running terminal profiles that are not expected to be installed on the machine. An administrator may be able to lock down the folders in question.
References
An elevation of privilege vulnerability exists in VS Code v1.71.0 and earlier versions where on a shared Windows machine, a low-privileged user can create a
bash.exe
executable in a location where terminal profiles are detected. This detected profile is then exposed in the terminal profiles list and can be run easily by a higher-privileged user on the same machine. The paths in question were:C:\Cygwin64\bin\bash.exe
C:\Cygwin\bin\bash.exe
C:\ProgramData\scoop\apps\git-with-openssh\current\bin\bash.exe
Patches
The fix is available starting with VS Code 1.71.1. The fix (0b356bf) mitigates this attack by removing those paths completely from the terminal profile detection feature.
Workarounds
Avoid running terminal profiles that are not expected to be installed on the machine. An administrator may be able to lock down the folders in question.
References