Overview
iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution.
Description
iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrators. A vulnerability, identified as CVE-2019-9535, exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. |
Impact
This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content. Potential attack vectors include connecting via ssh to a malicious server, using curl to fetch a malicious website, or using tail -f to follow a logfile containing some malicious content. |
Solution
Apply an update Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability. The latest version is available as an update within the program itself, or can be downloaded here. As the tmux integration cannot be disabled through configuration, a complete resolution is not yet available. We recommend that users of tmux integration follow the best practices outlined by iTerm2. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 7.3 | E:POC/RL:OF/RC:C |
| Environmental | 1.8 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- https://www.iterm2.com/downloads.html
- https://github.com/gnachman/iTerm2/commit/538d570ea54614d3a2b5724f820953d717fbeb
- https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/
- https://www.iterm2.com/documentation-tmux-integration.html
- https://gitlab.com/gnachman/iterm2/wikis/tmux-Integration-Best-Practices
- https://radicallyopensecurity.com/
Acknowledgements
Thanks to Stefan Grönke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability.
This document was written by Madison Oliver.
Other Information
| CVE IDs: | CVE-2019-9535 |
| Date Public: | 2019-10-09 |
| Date First Published: | 2019-10-09 |
| Date Last Updated: | 2019-10-25 13:48 UTC |
| Document Revision: | 37 |