News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Linux Vulnerability by Opening Files in Vim or NeoVim

    Home Forums AskWoody support Other platforms – for Windows wonks Linux for Windows wonks Linux Vulnerability by Opening Files in Vim or NeoVim

    This topic contains 6 replies, has 4 voices, and was last updated by

     mn– 1 month, 1 week ago.

    • Author
      Posts
    • #1841633 Reply

      Kirsty
      Da Boss

      Your Linux Can Get Hacked Just by Opening a File in Vim or Neovim Editor
      By Mohit Kumar | June 10, 2019

       
      Linux users, beware!
      If you haven’t recently updated your Linux operating system, especially the command-line text editor utility, do not even try to view the content of a file using Vim or Neovim.
      Security researcher Armin Razmjou recently discovered a high-severity arbitrary OS command execution vulnerability (CVE-2019-12735) in Vim and Neovim—two most popular and powerful command-line text editing applications that come pre-installed with most Linux-based operating systems.
      On Linux systems, Vim editor allows users to create, view or edit any file, including text, programming scripts, and documents.

      The maintainers of Vim (patch 8.1.1365) and Neovim (released in v0.3.6) have released updates for both utilities to address the issue, which users should install as soon as possible.
      Besides this, the researcher has also recommended users to:

        disable modelines feature,
        disable “modelineexpr” to disallow expressions in modelines,
        use “securemodelines plugin,” a secure alternative to Vim modelines.

       
      Read the full article here

      3 users thanked author for this post.
    • #1841683 Reply

      mn–
      AskWoody Lounger

      … this was one of those… well, somewhere on the ‘net there might still be a copy of an old newsgroup posting of mine where I complain about the “vi” command starting Vim instead on Linux…

      Oh well. The equivalent feature in Emacs was disabled some time in the 90s already.

      And fortunately my systems are Debian-derivatives nowadays so inherited the “nomodelines” default, which turns off the vulnerable feature unless enabled by user. Which I haven’t.

    • #1842534 Reply

      OscarCP
      AskWoody Plus

      Kirsty: Thanks for the timely warning.

      Do I understand correctly that “do not even try to view the content of a file using Vim or Neovim” refers to files one gets from someone else, not the ones one creates oneself?

      The reason I think it might be so, is that it says, in the article you gave us a link to: “Therefore, just opening an innocent looking specially crafted file using Vim or Neovim could allow attackers to secretly execute commands on your Linux system and take remote control over it.”

      As well as installing those security updates, is there a way to disable the troublesome customizing feature in Vim that, according to the same article, is set on by default? I do not use it.

      • #1842944 Reply

        Kirsty
        Da Boss

        I would expect opening text-only files you have created yourself would not pose the security risk being warned of in the article…

      • #1843110 Reply

        mn–
        AskWoody Lounger

        is there a way to disable the troublesome customizing feature in Vim that, according to the same article, is set on by default? I do not use it.

        Yes.

        Besides this, the researcher has also recommended users to:

        disable modelines feature,

        … this was already the default state in Debian and derivatives, including Ubuntu.

        1 user thanked author for this post.
        • #1843378 Reply

          Ascaris
          AskWoody_MVP

          Even so, Canonical pushed out an update to fix this issue for Ubuntu, and all derivatives that use the Ubuntu repo, on the 12th of June, two days ago:

          Screenshot from Muon package manager showing updates

           

          Group "L" (KDE Neon User Edition 5.16.3).

          Attachments:
          2 users thanked author for this post.
          • #1844203 Reply

            mn–
            AskWoody Lounger

            Yes, disabled was the *default* state but it could be enabled in per-user settings – and in some circles this was even common. Which would then leave the users who did so, vulnerable, and this clearly was a security bug.

            1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Linux Vulnerability by Opening Files in Vim or NeoVim

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.