Microsoft Visual Studio RCE Vulnerability

By

Overview:

  Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft. It can be used to develop console and graphical user interface (GUI) applications along with web sites, web applications, and web services. This is achieved in combination with native and managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET Compact Framework and Microsoft Silverlight.

  The IDE supports a wide variety of programming languages and technologies; either built-in or as extensions. Built-in languages include C, C++, C++/CLI, Visual Basic .NET, C#, F#, JavaScript, TypeScript, XML, XSLT, HTML, and CSS. Support for other languages such as Python, Ruby, Node.js, and M among others is also available via extensions.

  A remote code execution vulnerability has been reported in the Python interpreter services, a component of the Python language support extension for Microsoft Visual Studio. The vulnerability is due to a design weakness. The python language interpreter “python.exe” may be provided in a Python project workspace. The embedded interpreter will be executed when the project is opened without confirmation from the user.

  A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Python project/workspace. The workspace contains a crafted “python.exe” file in a subdirectory. Successful exploitation results in code execution in the context of the Microsoft Visual Studio IDE.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-27068

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Upon opening a workspace/folder containing python source files, the workspace initialization procedure begins at the method InitializeCurrentContext in PythonWorkspaceContextProvder.cs. This procedure involves discovering Python interpreters within the workspace. The Python interpreter, in a Windows OS environment is the binary file “python.exe”. The initialization process requires the interpreter in other to retrieve interpreter information. The method FindInterpretersInSubFolders in WorkspaceInterpreterFactoryProvider.cs invokes the method CreateEnvironmentInfo for each interpreter path discovered within the workspace. The method CreateEnvironmentInfo is also defined in WorkspaceInterpreterFactoryProvider.cs and will in turn invoke the method PrefixFromSysPrefix defined in the same class file, on the discovered path. The method PrefixFromSysPrefix will build and execute the following template command line:

  (full path to interpreter within workspace) -c "import sys; print(sys.prefix)"

  The method CreateEnvironmentInfo, made no attempt to validate the integrity of the discovered python interpreter. Therefore, an attacker can craft a Python workspace such that an included python.exe is in fact a malicious binary which will be executed autonomously on opening the crafted workspace within Visual Studio.

  A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Python project/workspace. The workspace contains a crafted “python.exe” file in a subdirectory. Successful exploitation results in code execution in the context of Microsoft Visual Studio.

Triggering the Problem:

  • A vulnerable version of Microsoft Visual Studio is installed.
  • The attacker must be able to deliver a malicious Python project to the target user.

Triggering Conditions:

  The attacker creates a malicious Python project for Microsoft Visual Studio and delivers it to the target user. The Python project contains a maliciously crafted python.exe file within a subdirectory. The vulnerability is triggered when this project is processed by a vulnerable version of Microsoft Visual Studio.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP
    • SSH, over port 22/TCP
    • FTP, over port 21/TCP
    • SMB/CIFS, over ports 139/TCP, 445/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15579 Microsoft Visual Studio Remote Code Execution (CVE-2021-27068)

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Not cloning and opening untrusted Python projects within Visual Studio.
    • Upgrading to a non-vulnerable version of Visual Studio.
    • Filtering malicious traffic.
  The vendor, Microsoft, has released the following advisory regarding this vulnerability:
  Vendor Advisory

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.