Patch/Configuration Management, Vulnerability Management

Vim and Neovim developers fix RCE flaw caused by failed sandbox check


Text editor programs Vim and Neovim both received security updates late last month after was was found to contain a remote code execution vulnerability.

Designated CVE-2019-12735, the flaw was discovered by security researcher Armin Razmjou and assigned an 8.6 HIGH CVSS base score.

According to an analysis of the vulnerability that was published last week, Vim versions prior to 8.1.1365 and Neovim versions prior to 0.3.6 are susceptible to code execution "via modelines by opening a specially crafted text file." Razmjou included two proof of concepts along with his analysis.

The modeline feature, which is enabled by default in the two programs, lets users specify custom editor options near the start or end of a file, the analysis explains. Some of these options are executed in a sandbox in order to prevent side effects, but Razmjou found that "the :source! command with the bang [!] modifier can be used to bypass the sandbox" because these commands are mistakenly interpreted as having been manually typed and therefore are run after the sandbox has been left. This is what triggers the RCE condition.

Vim was fixed in a May 23 software release, while Neovim was patched on May 29.

"Beyond patching, it's recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines," Razmjou advises in his vulnerability analysis.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.