Linux Vulnerability by Opening Files in Vim or NeoVim

Topic

New Reply

Your Linux Can Get Hacked Just by Opening a File in Vim or Neovim Editor
By Mohit Kumar | June 10, 2019

 
Linux users, beware!
If you haven’t recently updated your Linux operating system, especially the command-line text editor utility, do not even try to view the content of a file using Vim or Neovim.
Security researcher Armin Razmjou recently discovered a high-severity arbitrary OS command execution vulnerability (CVE-2019-12735) in Vim and Neovim—two most popular and powerful command-line text editing applications that come pre-installed with most Linux-based operating systems.
On Linux systems, Vim editor allows users to create, view or edit any file, including text, programming scripts, and documents.
…
The maintainers of Vim (patch 8.1.1365) and Neovim (released in v0.3.6) have released updates for both utilities to address the issue, which users should install as soon as possible.
Besides this, the researcher has also recommended users to:

disable modelines feature,
disable “modelineexpr” to disallow expressions in modelines,
use “securemodelines plugin,” a secure alternative to Vim modelines.

 
Read the full article here

3 users thanked author for this post.

Elly, jburk07, OscarCP

Reply | Quote

Replies

… this was one of those… well, somewhere on the ‘net there might still be a copy of an old newsgroup posting of mine where I complain about the “vi” command starting Vim instead on Linux…

Oh well. The equivalent feature in Emacs was disabled some time in the 90s already.

And fortunately my systems are Debian-derivatives nowadays so inherited the “nomodelines” default, which turns off the vulnerable feature unless enabled by user. Which I haven’t.

Reply | Quote

Kirsty: Thanks for the timely warning.

Do I understand correctly that “do not even try to view the content of a file using Vim or Neovim” refers to files one gets from someone else, not the ones one creates oneself?

The reason I think it might be so, is that it says, in the article you gave us a link to: “Therefore, just opening an innocent looking specially crafted file using Vim or Neovim could allow attackers to secretly execute commands on your Linux system and take remote control over it.”

As well as installing those security updates, is there a way to disable the troublesome customizing feature in Vim that, according to the same article, is set on by default? I do not use it.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I would expect opening text-only files you have created yourself would not pose the security risk being warned of in the article…

Reply | Quote

OscarCP wrote:

is there a way to disable the troublesome customizing feature in Vim that, according to the same article, is set on by default? I do not use it.

Yes.

Kirsty wrote:

Besides this, the researcher has also recommended users to:

disable modelines feature,

… this was already the default state in Debian and derivatives, including Ubuntu.

1 user thanked author for this post.

OscarCP

Reply | Quote

Even so, Canonical pushed out an update to fix this issue for Ubuntu, and all derivatives that use the Ubuntu repo, on the 12th of June, two days ago:

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

OscarCP, Cybertooth

Reply | Quote

Yes, disabled was the *default* state but it could be enabled in per-user settings – and in some circles this was even common. Which would then leave the users who did so, vulnerable, and this clearly was a security bug.

1 user thanked author for this post.

Ascaris

Reply | Quote