VS Code Information Disclosure Vulnerability

A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.

Patches

The fix is available starting with VS Code 1.78.1. It involved changes to VS Code as well as the node.js component that VS Code leverages for file system operations:
• the change in 6a995c4 introduces a new setting security.allowedUNCHosts and a related prompt confirming to open UNC paths on startup
• the change in https://gist.github.com/bpasero/f7cf27c531146267706786e56234b8d6 patches node.js 16.17.1 to throw an error when using UNC paths in file system operations that are not in a set of allowed hosts

Workarounds

Do not open workspaces or files on UNC paths. Do not open workspaces or files that contain UNC paths as text.

References

• The patches for this can be found at 6a995c4 and https://gist.github.com/bpasero/f7cf27c531146267706786e56234b8d6
• MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29338
• Our FAQ entry for how to work with UNC paths on Windows