An elevation of privilege vulnerability exists in VS Code v1.71.0 and earlier versions where on a shared Windows machine, a low-privileged attacker can create a bash.exe executable in a location where terminal profiles are detected. This detected profile is then exposed in the terminal profiles list and can be run easily by the vulnerable user. The paths in question were:

• C:\Cygwin64\bin\bash.exe
• C:\Cygwin\bin\bash.exe
• C:\ProgramData\scoop\apps\git-with-openssh\current\bin\bash.exe

Patches

The fix is available starting with VS Code 1.71.1. The fix (0b356bf) mitigates this attack by removing those paths completely from the terminal profile detection feature.

Workarounds

Avoid running terminal profiles that are not expected to be installed on the machine. An administrator may be able to lock down the folders in question.

References

• The patch for this can be found at 0b356bf
• MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38020