The author of popular macOS open source terminal emulator iTerm2 has rushed out a new version (v3.3.6) because prior iterations have a security flaw that could allow an attacker to execute commands on a computer using the application.
The vulnerability (CVE-2019-9535) was identified through the Mozilla Open Source Support Program (MOSS), which arranged to audit iTerm2 under its remit to review open source projects for security problems. A third-party security biz, Radically Open Security, performed the audit.
In a post to an iTerm2 discussion group, developer George Nachman said, "As part of this audit, a problem was discovered which could cause iTerm2 to issue commands in response to receiving certain input."
"This is a serious security issue because in some circumstances it could allow an attacker to execute commands on your machine when you view a file or otherwise receive input they have crafted in iTerm2."
Nachman, in response to an email from The Register, said he couldn't provide more details at the moment and that researchers are working on a technical write-up for next week. He said that the flaw affects between 100,000 and 200,000 users of the software.
Mozilla didn't immediately respond to a request to explain the flaw in greater detail. The commit that fixes the flaw provides some insight into the problem, at least for those familiar with Objective-C code.
According to Mozilla security engineer Tom Ritter, the vulnerability arises from the
tmux integration feature in iTerm2 and has been present for at least seven years. The
tmux application is a terminal multiplexer that allows multiple terminals to be created and controlled from a single window.
Meet Hyper.is – the terminal written in HTML, JS and CSSREAD MORE
The CERT Coordination Center's vulnerability notice says that the flaw can be exploited using command-line utilities that print attacker controlled content to the terminal screen.
"Potential attack vectors include connecting via
ssh to a malicious server, using
curl to fetch a malicious website, or using
tail -f to follow a logfile containing some malicious content," CERT/CC says.
Mozilla created a proof-of-concept video demonstrating how an
ssh connection to an attacker-controlled server could launch a Calculator app as a placeholder for malicious code.
iTerm2 should eventually prompt users to upgrade, but those with v3.3.5 or earlier should download the update directly without waiting. ®