Critical Remote Code Execution Flaw Fixed In Popular Terminal App For MacOS (csoonline.com) 15
itwbennett shares a report from CSO: iTerm2 users: It's time to upgrade. A security audit sponsored by the Mozilla Open Source Support Program uncovered a critical remote code execution (RCE) vulnerability in the popular open-source terminal app for macOS. ITerm2 is an open-source alternative to the built-in macOS Terminal app, which allows users to interact with the command-line shell. Terminal apps are commonly used by system administrators, developers and IT staff in general, including security teams, for a variety of tasks and day-to-day operations.
The iTerm2 app is a popular choice on macOS because it has features and allows customizations that the built-in Terminal doesn't, which is why the Mozilla Open Source Support Program (MOSS) decided to sponsor a code audit for it. The MOSS was created in the wake of the critical and wide-impact Heartbleed vulnerability in OpenSSL with the goal of sponsoring security audits for widely used open-source technologies. The flaw, which is now tracked as CVE-2019-9535, has existed in iTerm2 for the past seven years and is located in the tmux integration. Tmux is a terminal multiplexer that allows running multiple sessions in the same terminal window by splitting the terminal screen. The flaw was fixed in iTerm2 version 3.3.6, which was released today.
The iTerm2 app is a popular choice on macOS because it has features and allows customizations that the built-in Terminal doesn't, which is why the Mozilla Open Source Support Program (MOSS) decided to sponsor a code audit for it. The MOSS was created in the wake of the critical and wide-impact Heartbleed vulnerability in OpenSSL with the goal of sponsoring security audits for widely used open-source technologies. The flaw, which is now tracked as CVE-2019-9535, has existed in iTerm2 for the past seven years and is located in the tmux integration. Tmux is a terminal multiplexer that allows running multiple sessions in the same terminal window by splitting the terminal screen. The flaw was fixed in iTerm2 version 3.3.6, which was released today.
I use iTerm2 (Score:3)
It’s much better than Apple’s built-in terminal. I never warmed to how the built-in tmux integration worked, though, so I’ve always handled that manually. Guess that means I’ve been safe.
Actually this seems like it’d be a lot of work to exploit practically, and would really only be useful if you’re targeting a specific individual who happens to use iTerm2 and its tmux integration.
Re: (Score:2)
I think the tmux integration is part of how the terminal works, like if you make a new tab that's 1:1 with a new tmux screen. So I'm not sure you could avoid it, but I could be confused.
Either way i agree, the exploit isn't all that scary for most of us, but it's good to know it is fixed.
Re: (Score:2)
iTerm's tmux integration involves invoking tmux's control mode (tmux -CC), which behaves somewhat differently than your standard tmux session. The CVE specifically mentions the way iTerm2 interacts with control mode - so I expect anyone running tmux the "old fashioned way" was not affected by this.
Re: (Score:2)
Same here. I use multiple environments. Using tmux differently in ITerm2 would not make my life easier, since I use it the normal CLI way in other contexts (work, other non-mac computers, etc).
ITerm2 used to be cool, but... (Score:2)
In recent versions, they've picked up a weird bug where the terminal crashes when you try to cut and paste content into a terminal window. I've reported the bug several times, but they never bothered to fix it. It's not just me, either... I've seen other people experience the issue as well.
I've never seen a need for a third-party terminal (Score:4, Informative)
Apple's built-in Terminal app is awfully good -- it's fast, has a huge scrollback buffer, and generally just gets out of my way and lets me get my work done.
Re: (Score:1)
This is going to come across as whining about something rather trivial - because yeah, that's exactly what I'm doing - but it bugs me that Apple's Terminal only let's you have tabs along the top of the window. If I could move the tabs to the bottom of the terminal window, I might switch back to it because the app does work pretty well.
Every other tabbed terminal app I've used, whether on Linux or Mac, either has tabs located at the bottom of the window or else gives you the option of placing them there.
Re: (Score:2)
In my day we didn't even have tabs! Just eight empty spaces.
Re: (Score:2)
Yep. :)
Re: (Score:3)
If it hasn't got vertical ghosting, it's not a proper terminal.
Re: (Score:2)
Re: (Score:2)
Apple's built-in Terminal app is awfully good -- it's fast, has a huge scrollback buffer, and generally just gets out of my way and lets me get my work done.
But bugs in the character buffering in the Apple terminal broke mouse/touchpad scrolling on termbox (It split the multibyte event encodings) and that's a deal breaker for me.