CVE-2021-21415
📋 TL;DR
CVE-2021-21415 is a remote code execution vulnerability in the Prisma VS Code extension that allows arbitrary code execution when auto-formatting or validation is triggered on .prisma files. Attackers can exploit this by tricking users into opening malicious projects with a crafted .vscode/settings.json file that points to a malicious binary. All users of Prisma VS Code extension versions before 2.20.0 are affected.
💻 Affected Systems
- Prisma VS Code Extension
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary code execution with the privileges of the VS Code user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Attackers execute malicious code on developer workstations to steal credentials, source code, or deploy malware.
If Mitigated
No impact if extension is patched or workarounds are applied to prevent execution of untrusted binaries.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious project) but the attack vector is straightforward once the malicious settings file is in place.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.20.0 and 20.0.27
Vendor Advisory: https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828
Restart Required: Yes
Instructions:
1. Open VS Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'Prisma'. 4. Click Update on Prisma extension. 5. Restart VS Code after update completes.
🔧 Temporary Workarounds
Remove malicious settings file
allDelete or edit the .vscode/settings.json file to remove the prismaFmtBinPath setting
rm .vscode/settings.json
nano .vscode/settings.json (then remove the prismaFmtBinPath line)
Verify and remove malicious binary
allCheck if the binary referenced in prismaFmtBinPath is malicious and delete it
file /path/to/binary (check file type)
rm /path/to/malicious-binary
🧯 If You Can't Patch
- Avoid opening untrusted Prisma projects or repositories
- Disable auto-formatting and validation features in VS Code settings for Prisma files
🔍 How to Verify
Check if Vulnerable:
Check if Prisma extension version is below 2.20.0 AND if .vscode/settings.json contains prismaFmtBinPath setting pointing to an untrusted binary.Check Version:
code --list-extensions --show-versions | grep prismaVerify Fix Applied:
Verify Prisma extension version is 2.20.0 or higher in VS Code Extensions view.📡 Detection & Monitoring
Log Indicators:
- VS Code logs showing execution of unexpected binaries from prismaFmtBinPath
- System logs showing process execution from unusual locations
Network Indicators:
- Unexpected outbound connections from VS Code process after formatting Prisma files
SIEM Query:
Process creation where parent process contains 'code' and command line contains path from prismaFmtBinPath setting🔗 References
- https://github.com/prisma/language-tools/pull/750
- https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828
- https://marketplace.visualstudio.com/items?itemName=Prisma.prisma
- https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider
- https://github.com/prisma/language-tools/pull/750
- https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828
- https://marketplace.visualstudio.com/items?itemName=Prisma.prisma
- https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider
