Microsoft Security Advisory CVE-2018-8327
Critical Remote Code Execution in PowerShell Editor Services
Executive Summary
Microsoft is releasing this security advisory to provide information about a vulnerability in the open source versions of PowerShell Editor Services & the PowerShell extension for VSCode.
This advisory also provides guidance on what users can do to update their extensions and projects.
PowerShell Editor Services has a critical remote code execution vulnerability in versions prior to 1.7.0
.
Users are advised to update the version of PowerShell Editor Services they use to version 1.8.0
.
Users are advised to update the PowerShell extension for VSCode to version 1.8.0
.
Discussion
Please use PowerShell/PowerShellEditorServices#703 for discussion of this advisory.
Please use PowerShell/vscode-powershell#1427 for discussion of the PowerShell extension for VSCode aspects this advisory.
Affected Software
The vulnerability affects:
- PowerShell Editor Services prior to version
1.7.0
- The PowerShell extension for VSCode prior to version
1.7.0
- which depends on PowerShell Editor Services
Advisory FAQ
How do I know if I am affected?
PowerShell Editor Services
If you use PowerShell Editor Services in your project, check the version of the release you downloaded. If your version says 1.7.0
or lower, you are affected.
If you already have it on your machine, open PowerShell and navigate to where your Microsoft.PowerShell.EditorServices.dll
is and run:
Get-ChildItem Microsoft.PowerShell.EditorServices.dll | % { $_.VersionInfo.FileVersion }
If your version says 1.7.0
or lower, you are affected.
PowerShell extension for VSCode
You can verify this in one of 2 ways.
NOTE: if you have both VSCode and VSCode Insiders installed, you will need to check both.
Via Console
If you have VSCode Stable installed:
- Close all instances of VSCode
- Run
code --list-extensions --show-versions
- Look for
[email protected]
. If your version says 1.7.0
or lower, you are affected.
If you have VSCode Insiders installed:
- Close all instances of VSCode
- Run
code-insiders --list-extensions --show-versions
- Look for
[email protected]
. If your version says 1.7.0
or lower, you are affected.
Via the VSCode GUI
- Click on the Extensions icon:
- Find PowerShell in the list and check the version number:
If your version says 1.7.0
or lower, you are affected.
How do I update to an unaffected version?
PowerShell Editor Services
You can grab a newer release from the Releases tab in GitHub.
PowerShell extension for VSCode
VSCode auto-updates extensions unless you disable automatic updates. Open VSCode and when prompted to reload the updated extension, do so. If your version says 1.8.0
or above, you have updated successfully.
You can update this manually as well in one of 2 ways.
NOTE: if you have both VSCode and VSCode Insiders installed, you will need to update both.
Via Console
If you have VSCode Stable installed:
- Close all instances of VSCode
- Run
code --install-extension ms-vscode.powershell
- Run
code --list-extensions --show-versions
- Look for
[email protected]
. If your version says 1.8.0
or above, you have updated successfully.
If you have VSCode Insiders installed:
- Close all instances of VSCode
- Run
code-insiders --install-extension ms-vscode.powershell
- Run
code --list-extensions --show-versions
- Look for
[email protected]
. If your version says 1.8.0
or above, you have updated successfully.
Via the VSCode GUI
- Click on the Extensions icon:
-
Find PowerShell in the list and click the update button
-
Then click the reload button
If your version says 1.8.0
or higher, you have updated successfully.
Other Information
Reporting Security Issues
If you have found a potential security issue in PowerShell Editor Services,
please email details to [email protected].
Support
You can ask questions about this issue on GitHub in the PowerShell organization.
This is located at https://github.com/PowerShell/.
The Announcements repo (https://github.com/PowerShell/Announcements)
will contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.
What if the update breaks my extension?
File an issue and we will address it in the next release.
Acknowledgments
Ryan Cumbee (Casaba Security, LLC) & Cory Carson (Casaba Security, LLC) under contract for Microsoft at the time.
External Links
CVE-2018-8327
Revisions
V1.0 (Jul 10, 2018): Advisory published.
V1.1 (Jul 19, 2018): Added CVE link.
Version 1.1
Last Updated 2018-07-19