VS Code Information Disclosure Vulnerability

A information disclosure vulnerability exists in VS Code1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.

Patches

The fix is available starting withVS Code 1.78.1. It involved changes to VS Code as well as the node.js component that VS Code leverages for file system operations:
• the change in6a995c4 introduces a new settingsecurity.allowedUNCHosts and a related prompt confirming to open UNC paths on startup
• the change inhttps://gist.github.com/bpasero/f7cf27c531146267706786e56234b8d6 patches node.js16.17.1 to throw an error when using UNC paths in file system operations that are not in a set of allowed hosts

Workarounds

Do not open workspaces or files on UNC paths. Do not open workspaces or files that contain UNC paths as text.

References

• The patches for this can be found at6a995c4 andhttps://gist.github.com/bpasero/f7cf27c531146267706786e56234b8d6
• MSRC details for this can be found athttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29338
• OurFAQ entry for how to work with UNC paths on Windows