Visual Studio JSON Remote Code Execution Vulnerability

2020-10-15T07:00:00

Description

A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious 'package.json' file. The update address the vulnerability by modifying the way Visual Studio Code handles JSON files.

{"id": "MS:CVE-2020-17023", "bulletinFamily": "microsoft", "title": "Visual Studio JSON Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious 'package.json' file.\n\nThe update address the vulnerability by modifying the way Visual Studio Code handles JSON files.\n", "published": "2020-10-15T07:00:00", "modified": "2020-10-15T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17023", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2020-17023"], "immutableFields": [], "type": "mscve", "lastseen": "2022-10-03T16:29:37", "edition": 1, "viewCount": 74, "enchantments": {"backreferences": {"references": [{"idList": ["KLA11980"], "type": "kaspersky"}, {"idList": ["SMB_NT_MS20_OCT_VISUAL_STUDIO_CODE.NASL"], "type": "nessus"}, {"idList": ["THREATPOST:2C2827FBF9D900F4194802CE8C471B4C"], "type": "threatpost"}, {"idList": ["CISA:C14D003FF1B3CB2AB78DBB99347FF1E2"], "type": "cisa"}, {"idList": ["CVE-2020-17023"], "type": "cve"}]}, "dependencies": {"references": [{"idList": ["KLA11980"], "type": "kaspersky"}, {"idList": ["THREATPOST:AACCB861556B5F149B9D739F4717C3C3"], "type": "threatpost"}, {"idList": ["SMB_NT_MS20_OCT_VISUAL_STUDIO_CODE.NASL"], "type": "nessus"}, {"idList": ["CISA:C14D003FF1B3CB2AB78DBB99347FF1E2"], "type": "cisa"}, {"idList": ["CVE-2020-17023"], "type": "cve"}], "rev": 4}, "exploitation": null, "score": {"value": 2.4, "vector": "NONE"}, "vulnersScore": 2.4}, "_state": {"dependencies": 1664814947, "score": 1664815070}, "_internal": {"score_hash": "21dd4adf929b72c6b9739c45a2b38b26"}, "kbList": [], "msrc": "", "mscve": "CVE-2020-17023", "msAffectedSoftware": [], "vendorCvss": {"baseScore": "7.8", "temporalScore": "7.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}

{"nessus": [{"lastseen": "2022-11-21T14:41:38", "description": "The version of Microsoft Visual Studio Code installed on the remote Windows host is prior to 1.50.1. It is, therefore, affected by the following vulnerability:\n\n - A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious 'package.json' file.\n (CVE-2020-17023)", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-10-27T00:00:00", "type": "nessus", "title": "Security Update for Microsoft Visual Studio Code (CVE-2020-17023)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17023"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:microsoft:visual_studio_code"], "id": "SMB_NT_MS20_OCT_VISUAL_STUDIO_CODE.NASL", "href": "https://www.tenable.com/plugins/nessus/141931", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141931);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-17023\");\n script_xref(name:\"IAVA\", value:\"2020-A-0459-S\");\n\n script_name(english:\"Security Update for Microsoft Visual Studio Code (CVE-2020-17023)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application installed that is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Visual Studio Code installed on the remote\nWindows host is prior to 1.50.1. It is, therefore, affected by the\nfollowing vulnerability:\n\n - A remote code execution vulnerability exists in Visual Studio Code when a\n user is tricked into opening a malicious 'package.json' file. An attacker who\n successfully exploited the vulnerability could run arbitrary code in the\n context of the current user. If the current user is logged on with\n administrative user rights, an attacker could take control of the affected\n system. An attacker could then install programs; view, change, or delete\n data; or create new accounts with full user rights. To exploit this\n vulnerability, an attacker would need to convince a target to clone a\n repository and open it in Visual Studio Code. Attacker-specified code would\n execute when the target opens the malicious 'package.json' file.\n (CVE-2020-17023)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://code.visualstudio.com/updates/v1_50\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b0953a5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Visual Studio Code 1.50.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17023\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio_code\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_visual_studio_code_installed.nbin\", \"microsoft_visual_studio_code_win_user_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Visual Studio Code\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'Microsoft Visual Studio Code', win_local:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'fixed_version' : '1.50.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T11:00:09", "description": "### *Detect date*:\n10/15/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Developer Tools. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\nVisual Studio Code\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-17023](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-17023>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2020-17023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17023>)9.3Critical", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-15T00:00:00", "type": "kaspersky", "title": "KLA11980 ACE vulnerability in Microsoft Developer Tools", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17023"], "modified": "2020-10-19T00:00:00", "id": "KLA11980", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11980/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:29:45", "description": "A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file, aka 'Visual Studio JSON Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-17023", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17023"], "modified": "2020-10-20T16:22:00", "cpe": ["cpe:/a:microsoft:visual_studio_code:-"], "id": "CVE-2020-17023", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17023", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:visual_studio_code:-:*:*:*:*:*:*:*"]}], "cisa": [{"lastseen": "2021-02-24T18:06:44", "description": "Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code. An attacker could exploit these vulnerabilities to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Microsoft security advisories for [CVE-2020-17022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17022>) and [CVE-2020-17023](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/microsoft-releases-security-updates-address-remote-code-execution>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-16T00:00:00", "type": "cisa", "title": "Microsoft Releases Security Updates to Address Remote Code Execution Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17022", "CVE-2020-17023"], "modified": "2020-10-16T00:00:00", "id": "CISA:C14D003FF1B3CB2AB78DBB99347FF1E2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/microsoft-releases-security-updates-address-remote-code-execution", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-10-19T15:17:24", "description": "Microsoft has issued out-of-band patches for two \u201cimportant\u201d severity vulnerabilities, which if exploited could allow for remote code execution.\n\nOne flaw (CVE-2020-17023) exists in Microsoft\u2019s Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS. The other (CVE-2020-17022) is in the Microsoft Windows Codecs Library; the codecs module provides stream and file interfaces for transcoding data in Windows programs.\n\n\u201cMicrosoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code,\u201d according to [a Friday CISA alert on the patches](<https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/microsoft-releases-security-updates-address-remote-code-execution>). \u201cAn attacker could exploit these vulnerabilities to take control of an affected system.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAccording to Microsoft, one \u201cimportant\u201d severity flaw ([CVE-2020-17022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17022>)) stems from the way that Microsoft Windows Codecs Library handles objects in memory. This vulnerability has a CVSS score of 7.8 out of 10.\n\nAn attacker who successfully exploited the vulnerability could execute arbitrary code, according to Microsoft. While an attacker could be remote to launch the attack, exploitation requires that a program process a specially crafted image file.\n\nOnly customers who have installed the optional HEVC or \u201cHEVC from Device Manufacturer\u201d media codecs from Microsoft Store may be vulnerable. The secure Microsoft installed packed versions are 1.0.32762.0, 1.0.32763.0, and later.\n\n\u201cThe update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,\u201d according to Microsoft.\n\nThe other \u201cimportant\u201d severity flaw (which also has a CVSS score of 7.8 out of 10) exists in Visual Studio Code, when a user is tricked into opening a malicious \u2018package.json\u2019 file.\n\nAccording to Microsoft, an attacker who successfully exploited this flaw ([CVE-2020-17023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17023>)) could run arbitrary code in the context of the current user. An attacker would first need to convince a target to clone a repository and open it in Visual Studio Code (via social engineering or otherwise). The attacker\u2019s malicious code would execute when the target opens the malicious \u2018package.json\u2019 file.\n\n\u201cIf the current user is logged on with administrative user rights, an attacker could take control of the affected system,\u201d said Microsoft. \u201cAn attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nMicrosoft\u2019s update addresses the vulnerability by modifying the way Visual Studio Code handles JSON files.\n\nIn a Twitter thread, Justin Steven, who reported the flaw, said that the issue stems from a bypass of a previously deployed patch for an RCE flaw in Visual Studio Code (CVE-2020-16881).\n\n> Microsoft Visual Studio Code seems to have botched the fix for CVE-2020-16881, a \"remote code execution\" vulnerability regarding \"malicious package.json files\". The patch can be trivially bypassed. A thread \ud83e\uddf5\n> \n> \u2014 GNU/JUSTIN (@justinsteven) [October 2, 2020](<https://twitter.com/justinsteven/status/1312152915344195584?ref_src=twsrc%5Etfw>)\n\nNeither flaw has been observed being exploited in the wild according to Microsoft. Microsoft also did not offer mitigations or workarounds for other flaws \u2013 but updates will be automatically installed for users.\n\n\u201cAffected customers will be automatically updated by Microsoft Store,\u201d according to Microsoft. \u201cCustomers do not need to take any action to receive the update.\u201d\n\nThe fixes come days after [Microsoft\u2019s October Patch Tuesday updates](<https://threatpost.com/october-patch-tuesday-wormable-bug/160044/>), during which it released fixes for 87 security vulnerabilities, 11 of them critical \u2013 and one potentially wormable.\n\nIn the case of these bugs, \u201cservicing for store apps/components does not follow the monthly \u2018Update Tuesday\u2019 cadence, but are offered whenever necessary,\u201d according to Microsoft.\n", "cvss3": {}, "published": "2020-10-16T20:47:02", "type": "threatpost", "title": "Microsoft Fixes RCE Flaws in Out-of-Band Windows Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-16881", "CVE-2020-17022", "CVE-2020-17023"], "modified": "2020-10-16T20:47:02", "id": "THREATPOST:AACCB861556B5F149B9D739F4717C3C3", "href": "https://threatpost.com/microsoft-rce-flaws-windows-update/160244/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}