The most popular macOS terminal emulator, iTerm2, has been modified to address a critical security issue that has not been disclosed for at least seven years.
Attackers are able to execute remote control systems with a compromised version of iTerm2 if the program is used to connect to a malicious source.
Serious risk
The vulnerability was found during a Radically Open Security audit funded by Mozilla Open Source Support (MOSS), monitored as CVE-2019-9535.
iTerm2 is a terminal emulator designed to offer compared with a generic solution in macOS comprehensive functionality. The features include visibility of doors, full screen mode, alerts, and exposé.
It also incorporates tmux, a versatile multiplexer terminal that allows multiple sessions. These attributes render iTerm2 a popular choice for developers and managers considered high-risk goals.
The software is also used for untrustworthy data processing and is open source. As such, it was not a spontaneous decision that centered on this project, Mozilla says today in an article.
The issue is with integration with tmux control mode, which can allow a remote attacker to execute arbitrary commands when a vulnerable iTerm has content managed by an attacker.
This is possible by using a “curl” command when users connect to a compromised SSH server to access content from an attacker-controlled website.
Mozilla has released a proof of conception video showing how a malicious SSH server was connected to the affected device to run an arbitrary command (demo calculator application).
One legitimate vector of attack is to use’ tail-f’ to follow a log file that contains malicious content. However, activities are not limited to those scenarios.
“Typically this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact.” – Mozilla
George Nachman, designer of iTerm2, today announced updates that correct a vulnerability. Users will upgrade versions 3.3.6 and 3.3.7beta1.