A high-severity arbitrary OS command execution vulnerability (CVE-2019-12735) was found in Vim and Neovim which are the two most popular and powerful command-line text editing applications in Linux-based operating systems.
The vulnerability was discovered by Security researcher Armin Razmjou and it is advised that the users must not even try to view the content of a file using Vim or Neovim, if they haven’t recently updated their Linux operating system.
On Linux systems, Vim editor lets users to create, view or edit any file, including text, programming scripts, and documents.
Neovim is an extended forked version of Vim, with better user experience, plugins and GUIs, and so the code execution vulnerability resides in it as well.
The vulnerability was found in the way Vim editor handles “modelines,” which is a feature enabled-by-default to automatically find and apply a set of custom preferences mentioned by the creator of a file near the starting and ending lines in the document.
Due to security reasons the editor permits only a subset of options in modelines and uses sandbox protection if it contains an unsafe expression.
So by simply opening an innocent looking specially crafted file using Vim or Neovim could allow attackers to secretly execute commands on your Linux system and take remote control over it.
The researcher released two proof-of-concept exploits to the public. The maintainers of Vim (patch 8.1.1365) and Neovim (released in v0.3.6) have released updates for both utilities and the users must install it at the earliest.
The researcher also recommends the users to:
- disable modelines feature,
- disable “modelineexpr” to disallow expressions in modelines,
- use “securemodelines plugin,” an alternative to Vim modelines.