Important Information

On August 12th, 2022, many of Keysight’s Network Test, Network Visibility, & Edge to Core (NAS/formerly Ixia) products will migrate to a new license structure.

CRITICAL: If you perform licensing operations after August 12th, 2022, without upgrading the licensing software to the latest version, licenses may not register properly, and some features may be missing. This could impact testing and result in downtime.

For details, click here.

Strike ID:
E20-mx8m1
CVSS:
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
False Positive:
t
Variants:
1
Year:
2020

Description

This strike exploits a virtualenv variable path loading vulnerability inside Microsoft Visual Code Studio. Specifically, the vulnerability is due to how VSCode selects and loads the virtualenv from a project folder. This project folder can be loaded without user interaction only requiring for the user to click on the python .py file to execute the code. By adding a malicious folder to the workspace and opening a python file inside the project the added code to execute inside the extension will run. The project zip package included in this strike will prompt the user to install an extension to run. Once installed clicking the python file will execute the calculator app on macOS.

References