Researchers at Radically Open Security (ROS) have discovered a critical Remote Code Execution (RCE) vulnerability that has existed for over 7 years on the iTerm2 macOS terminal emulator app.
iTerm2 is a free and open-source terminal emulator for Mac that offers multiple windows in independent sessions, a robust search tool coupled with handy auto-complete commands, and some other cool features.
The RCE flaw is tracked under CVE-2019-9535, the same was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program (MOSS), there is no official score calculated yet that's published, however, using the tool from NIST we made our calculation, exploiting this vulnerability is not a very complicated task, but it would require some degree of user interaction or trickery, it can be exploited via commands, it's generally considered benign, but there is a high degree of concern about the potential impact if exploited. After calculations, we believe this vulnerability can be classified as a High severity as per the industry-standard Common Vulnerability Scoring System (CVSS) since the impact would be high if exploited.
This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by sending specially crafted output to the terminal; an attacker could exploit this vulnerability to execute arbitrary commands on the system, caused by an integration error with tmux's control mode.
It could be exploited using command-line utilities that print attacker-controlled content. Potential attack vectors include connecting via SSH to a malicious server, using curl to get a malicious website, or using tail -f to follow a log file containing some malicious content.
This vulnerability is tracked under:
CVSS Overall Score: 8.5 (High)
CVSS Vector String: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X
iTerm2 is a popular tool for macOS users and frequently used by developers. MOSS has chosen iTerm2 for a security audit as it processes untrusted data, and it is widely used, including by high-risk targets like developers and system administrators.
During the audit where ROS collaborated, it was identified that this vulnerability in the tmux integration has existed for at least 7 years. An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer.
Fortunately, before releasing this news, iTerm2 did fix it and released a patched version of the tool, you can follow the recommendations below.
An update to iTerm2 is now available with mitigation for this issue. While iTerm2 will eventually prompt you to update automatically, we recommend you proactively update by going to the iTerm2 menu and choosing "Check for update". The fix is available in version 3.3.6. Also, we also believe that you can find here excellent tips if you use tmux .
TTPs: Tactics, techniques and procedures