Think you have a false positive on this rule?

Sid 1-43482

Message

FILE-OTHER Vim modelines remote command execution attempt

Summary

This event is generated when a command execution attempt is detected in Vim.

Impact

Attempted User Privilege Gain

CVE-2016-1248:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2016-1248: vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

Affected systems

  • vim vim 8.0.0055
  • debian debian_linux 8.0

Ease of attack

CVE-2016-1248:

Access Vector

Access Complexity

Authentication

False positives

None Known

False negatives

None Known

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References