Login Sign Up

CVE-2021-28448

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Visual Studio Code Kubernetes Tools extension allows remote code execution when processing malicious Kubernetes YAML files. Attackers can execute arbitrary code on the developer's machine by tricking them into opening a specially crafted YAML file. This affects developers using the Kubernetes Tools extension in Visual Studio Code.

💻 Affected Systems

Products:
  • Visual Studio Code Kubernetes Tools Extension
Versions: Versions prior to 1.3.0
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who have installed the Kubernetes Tools extension. The vulnerability is in the extension, not the core VS Code editor.

📦 What is this software?

Visual Studio Code Kubernetes Tools by Microsoft

View all CVEs affecting Visual Studio Code Kubernetes Tools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of developer workstation leading to lateral movement within development environment, credential theft, and deployment of malicious containers to Kubernetes clusters.

🟠

Likely Case

Attacker gains code execution on developer machine, potentially accessing source code, credentials, and development infrastructure.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege access, and security controls preventing lateral movement.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email, downloads, or compromised repositories.
🏢 Internal Only: HIGH - Developers frequently handle untrusted YAML files from various sources including internal repositories and external tools.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction to open a malicious YAML file. No authentication required beyond file access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kubernetes Tools extension version 1.3.0 and later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28448

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'Kubernetes'. 4. Click Update on Kubernetes Tools extension. 5. Restart VS Code after update completes.

🔧 Temporary Workarounds

Disable Kubernetes Tools Extension

all

Temporarily disable the vulnerable extension until patching is possible

code --disable-extension ms-kubernetes-tools.vscode-kubernetes-tools

Restrict YAML File Sources

all

Only open YAML files from trusted sources and repositories

🧯 If You Can't Patch

  • Implement application allowlisting to prevent execution of unauthorized binaries
  • Use network segmentation to isolate developer workstations from production systems

🔍 How to Verify

Check if Vulnerable:

Check Kubernetes Tools extension version in VS Code Extensions view. Vulnerable if version < 1.3.0.

Check Version:

code --list-extensions --show-versions | findstr kubernetes

Verify Fix Applied:

Verify Kubernetes Tools extension shows version 1.3.0 or higher in Extensions view.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from VS Code context
  • Suspicious YAML file parsing errors
  • Unexpected network connections from developer workstations

Network Indicators:

  • Outbound connections from developer machines to unexpected destinations
  • DNS queries for suspicious domains

SIEM Query:

Process Creation where ParentImage contains 'Code.exe' and CommandLine contains suspicious patterns

📊 Metadata

CVE ID: CVE-2021-28448
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: April 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON