search menu icon-carat-right cmu-wordmark

CERT Coordination Center

iTerm2 with tmux integration is vulnerable to remote command execution

Vulnerability Note VU#763073

Original Release Date: 2019-10-09 | Last Revised: 2019-10-25

Overview

iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution.

Description

iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrators. A vulnerability, identified as CVE-2019-9535, exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.

Impact

This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content. Potential attack vectors include connecting via ssh to a malicious server, using curl to fetch a malicious website, or using tail -f to follow a logfile containing some malicious content.

Solution

Apply an update

Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability. The latest version is available as an update within the program itself, or can be downloaded here. As the tmux integration cannot be disabled through configuration, a complete resolution is not yet available. We recommend that users of tmux integration follow the best practices outlined by iTerm2.

Vendor Information

763073
 
Affected   Unknown   Unaffected

iTerm 2

Updated:  October 08, 2019

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 7.3 E:POC/RL:OF/RC:C
Environmental 1.8 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Stefan Grönke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability.

This document was written by Madison Oliver.

Other Information

CVE IDs: CVE-2019-9535
Date Public: 2019-10-09
Date First Published: 2019-10-09
Date Last Updated: 2019-10-25 13:48 UTC
Document Revision: 35

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.