close
Written by Anthony Carballo
on October 11, 2019

Summary

Researchers at Radically Open Security (ROS) have discovered a critical Remote Code Execution (RCE) vulnerability that has existed for over 7 years on the iTerm2 macOS terminal emulator app.

iTerm2 is a free and open-source terminal emulator for Mac that offers multiple windows in independent sessions, a robust search tool coupled with handy auto-complete commands, and some other cool features.

The RCE flaw is tracked under CVE-2019-9535, the same was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program (MOSS), there is no official score calculated yet that's published, however, using the tool from NIST we made our calculation, exploiting this vulnerability is not a very complicated task, but it would require some degree of user interaction or trickery, it can be exploited via commands, it's generally considered benign, but there is a high degree of concern about the potential impact if exploited. After calculations, we believe this vulnerability can be classified as a High severity as per the industry-standard Common Vulnerability Scoring System (CVSS) since the impact would be high if exploited.

 

TTPs

This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by sending specially crafted output to the terminal; an attacker could exploit this vulnerability to execute arbitrary commands on the system, caused by an integration error with tmux's control mode.

It could be exploited using command-line utilities that print attacker-controlled content. Potential attack vectors include connecting via SSH to a malicious server, using curl to get a malicious website, or using tail -f to follow a log file containing some malicious content.

You can watch a PoC (Proof of Concept) made by the Mozilla Open Source Support Program (MOSS).

 

CVEs

This vulnerability is tracked under:

CVE-2019-9535

Score:

CVSS Overall Score: 8.5 (High)

CVSS Vector String: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

 

Conclusions

iTerm2 is a popular tool for macOS users and frequently used by developers. MOSS has chosen iTerm2 for a security audit as it processes untrusted data, and it is widely used, including by high-risk targets like developers and system administrators.

During the audit where ROS collaborated, it was identified that this vulnerability in the tmux integration has existed for at least 7 years. An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer.

Fortunately, before releasing this news, iTerm2 did fix it and released a patched version of the tool, you can follow the recommendations below.

 

Advice

An update to iTerm2 is now available with mitigation for this issue. While iTerm2 will eventually prompt you to update automatically, we recommend you proactively update by going to the iTerm2 menu and choosing "Check for update". The fix is available in version 3.3.6. Also, we also believe that you can find here excellent tips if you use tmux .

 

TTPs: Tactics, techniques and procedures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Vulnerability

Dexphot - Why Your Antivirus Isn't Enough.

Security researchers at Microsoft have been tracking a new strain of cryptocurrency miner, they named it Dexphot, based ...

Vulnerability

Android Vulnerability - NFC exploitation

It was found in Android OS versions 8.0 & higher that the security warning message to install external apps does not pro...

Vulnerability

Two vulnerabilities found in Google Chrome Browser – Update now!

Vulnerabilities are not unusual to Chrome, at least Google tries to address them quickly, the good news is that there is...