CVE-2021-30124 in vscode-phpmd
Summary
by MITRE • 07/30/2021
The unofficial vscode-phpmd (aka PHP Mess Detector) extension before 1.3.0 for Visual Studio Code allows remote attackers to execute arbitrary code via a crafted phpmd.command value in a workspace folder.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/05/2021
The vulnerability CVE-2021-30124 represents a critical remote code execution flaw in the unofficial vscode-phpmd extension for Visual Studio Code. This extension, designed to integrate PHP Mess Detector functionality into the popular code editor, contained a dangerous command injection vulnerability that could be exploited by remote attackers. The flaw specifically resides in how the extension handles the phpmd.command configuration value within workspace folders, creating an opportunity for malicious actors to execute arbitrary code on systems where the extension is installed.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the extension's configuration handling mechanism. When users configure the phpmd.command parameter in their workspace settings, the extension fails to properly sanitize or escape the input before using it in system commands. This primitive command injection vulnerability allows attackers to inject malicious commands that get executed with the privileges of the user running Visual Studio Code. The vulnerability affects all versions prior to 1.3.0, indicating that the developers had not yet implemented proper input validation measures to prevent such attacks.
The operational impact of this vulnerability is severe and multifaceted across various attack scenarios. An attacker could exploit this flaw by crafting a malicious workspace configuration that includes specially crafted command parameters, potentially leading to complete system compromise. The vulnerability is particularly dangerous in environments where Visual Studio Code is used for development work, as attackers could leverage this to gain access to source code repositories, execute malicious code on development servers, or escalate privileges within the development environment. This type of vulnerability aligns with CWE-78, which specifically addresses OS Command Injection, and represents a classic example of how seemingly innocuous configuration parameters can become attack vectors when not properly validated.
From a threat modeling perspective, this vulnerability fits within the ATT&CK framework under the T1059.007 technique for Command and Scripting Interpreter, specifically targeting the use of PowerShell or command-line interpreters. The attack surface is particularly wide since Visual Studio Code is commonly installed on development machines, and workspace configurations are often shared or stored in version control systems. Organizations using this extension without proper security controls are at risk of supply chain attacks, where attackers compromise development environments through malicious workspace configurations. The vulnerability also demonstrates the importance of input validation in extension-based development environments, as noted in industry best practices for secure coding and configuration management.
The recommended mitigations for this vulnerability include immediate upgrading to version 1.3.0 or later of the vscode-phpmd extension, which implements proper input sanitization and validation. Security teams should also implement network segmentation to limit access to development environments, enforce strict access controls on workspace configuration files, and conduct regular security reviews of installed extensions. Additionally, organizations should consider implementing automated security scanning for development tools and extensions to identify similar vulnerabilities before they can be exploited. The fix for this vulnerability typically involves implementing proper input validation, using parameterized commands instead of string concatenation, and following secure coding practices that align with OWASP Top 10 and NIST cybersecurity frameworks for preventing command injection attacks.