CVE-2023-4736 – CVE-2023-4736 is an untrusted search path vulne... (How to Fix)

Q: What is the severity of CVE-2023-4736?

CVE-2023-4736 has a CVSS score of 7.8 (HIGH). CVE-2023-4736 is an untrusted search path vulnerability in Vim that allows attackers to execute arbitrary code by placing malicious files in directories that Vim searches. This affects users running vulnerable Vim versions on systems where untrusted directories are in the search path. The vulnerability stems from improper handling of dynamic library loading paths.

📋 TL;DR

CVE-2023-4736 is an untrusted search path vulnerability in Vim that allows attackers to execute arbitrary code by placing malicious files in directories that Vim searches. This affects users running vulnerable Vim versions on systems where untrusted directories are in the search path. The vulnerability stems from improper handling of dynamic library loading paths.

💻 Affected Systems

Products:

Vim

Versions: All versions prior to 9.0.1833

Operating Systems: Linux, macOS, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations when Vim searches for dynamic libraries in untrusted directories.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Vim by Vim

View all CVEs affecting Vim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Vim user, potentially leading to full system compromise if the user has elevated privileges.

🟠

Likely Case

Local privilege escalation or arbitrary code execution when users open files from untrusted directories or when attackers can place files in writable directories.

🟢

If Mitigated

Limited impact if proper file permissions restrict write access to system directories and users avoid opening files from untrusted sources.

🌐 Internet-Facing: LOW - This is primarily a local vulnerability requiring user interaction or local file placement.

🏢 Internal Only: MEDIUM - Internal users with access to shared directories could exploit this, but requires specific conditions.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to place malicious files in directories that Vim searches, which typically requires some level of access or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.1833 and later

Vendor Advisory: https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c

Restart Required: No

Instructions:

1. Update Vim using your system package manager (apt-get upgrade vim, yum update vim, etc.) 2. Alternatively, compile from source using the patched version from the official Vim repository 3. Verify the version is 9.0.1833 or higher

🔧 Temporary Workarounds

Restrict library search paths

linux

Modify environment variables to restrict where Vim searches for dynamic libraries

export LD_LIBRARY_PATH=/usr/lib:/usr/local/lib
export DYLD_LIBRARY_PATH=/usr/lib:/usr/local/lib

Avoid untrusted directories

all

Do not run Vim from or open files in directories with untrusted write access

🧯 If You Can't Patch

Restrict file permissions to prevent untrusted users from writing to directories in Vim's search path
Use alternative text editors until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check Vim version with 'vim --version' and look for version number lower than 9.0.1833

Check Version:

vim --version | head -1

Verify Fix Applied:

Run 'vim --version' and confirm version is 9.0.1833 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual library loading from non-standard directories
Failed attempts to load malicious libraries

Network Indicators:

No direct network indicators as this is a local vulnerability

SIEM Query:

Process execution logs showing vim loading libraries from unusual paths or user home directories

📊 Metadata

CVE ID: CVE-2023-4736

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-426

Published: September 2, 2023

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2023/Oct/24 Mailing List,Third Party Advisory
https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c Patch
https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71 Exploit,Patch,Third Party Advisory
https://support.apple.com/kb/HT213984 Release Notes,Third Party Advisory
http://seclists.org/fulldisclosure/2023/Oct/24 Mailing List,Third Party Advisory
https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c Patch
https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71 Exploit,Patch,Third Party Advisory
https://support.apple.com/kb/HT213984 Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4736, you might also want to check these: