{ "threat_severity" : "Important", "public_date" : "2019-06-05T00:00:00Z", "bugzilla" : { "description" : "vim/neovim: ': source!' command allows arbitrary command execution via modelines", "id" : "1718308", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1718308" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-94", "details" : [ "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.", "It was found that the `:source!` command was not restricted by the sandbox mode. If modeline was explicitly enabled, opening a specially crafted text file in vim could result in arbitrary command execution." ], "statement" : "To be successfully and automatically triggered when a specially crafted file is opened, this vulnerability requires 3 parts :\n1) The `source!` command inability to check if it is running in sandbox mode (the fix commit prevents this)\n2) The `modeline` to be enabled (by default, modeline is disabled when running with root permission. See `Mitigation` steps to disable the modeline)\n3) A function, to be inserted in the modeline, that can be used to trigger the `source!` command (e.g.: `assert_fail()` in the public reproducer). To the best of our knowledge, no such functions were found in the default installation of Red Hat Enterprise Linux versions 5, 6 and 7 at the time of the flaw. However, Red Hat Enterprise Linux version 8 contains `assert_fail()`.\nWithout part 2 or 3, it would be required for an attacker to be able to craft the command line used to open the crafted file, in order to trigger the vulnerability.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2019-07-15T00:00:00Z", "advisory" : "RHSA-2019:1774", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "vim-2:7.4.629-5.el6_10.2" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-06-27T00:00:00Z", "advisory" : "RHSA-2019:1619", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "vim-2:7.4.160-6.el7_6" }, { "product_name" : "Red Hat Enterprise Linux 7.4 Extended Update Support", "release_date" : "2019-07-30T00:00:00Z", "advisory" : "RHSA-2019:1947", "cpe" : "cpe:/o:redhat:rhel_eus:7.4", "package" : "vim-2:7.4.160-2.el7_4.1" }, { "product_name" : "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date" : "2019-07-16T00:00:00Z", "advisory" : "RHSA-2019:1793", "cpe" : "cpe:/o:redhat:rhel_eus:7.5", "package" : "vim-2:7.4.160-4.el7_5.1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-06-27T00:00:00Z", "advisory" : "RHSA-2019:1619", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "vim-2:8.0.1763-11.el8_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-06-27T00:00:00Z", "advisory" : "RHSA-2019:1619", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "vim-2:8.0.1763-11.el8_0" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "vim", "cpe" : "cpe:/o:redhat:enterprise_linux:5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-12735\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-12735" ], "name" : "CVE-2019-12735", "mitigation" : { "value" : "The vulnerability can be triggered only if `modeline` is enabled. You can check whether `modeline` is enabled within vim via the command `:set modeline?`\nIt can be turned off explicitly by adding `set nomodeline` in a vimrc file.", "lang" : "en:us" }, "csaw" : false }