Nasty Bug Fixed in iTerm2 Terminal Emulator

There’s a serious vulnerability in several versions of the iTerm2 terminal emulator for macOS that resulted in all of the input and output from SSH sessions being logged on the remote host. The developer of iTerm2 has released an updated version that fixes the flaw and is urging users of all of the affected versions to update as quickly as possible. 

Key Details

• iTerm2 is a popular full-featured terminal emulator for macOS that includes a feature for SSH integration

• Versions 3.5.6, 3.5.7, 3.5.8, 3.5.9, and 3.5.10, and any beta versions 3.5.6 and later all include the vulnerability, which does not have a CVE assigned yet

• “A bug in the SSH integration feature caused input and output to be logged to a file on the remote host. This file, /tmp/framer.txt, may be readable by other users on the remote host,” the advisory says. 

• The updated version that fixes the bug is iTerm2 3.5.11

The vulnerability is present under certain specific conditions in the affected versions. From the advisory:

Either:

a) You used the it2ssh command, or

b) In Settings > Profiles > General, the Command popup menu was set to "SSH" (not "Login Shell", "Command", or "Custom Command") AND "SSH Integration" was checked  in the SSH configuration dialog. That dialog is shown when you click the Configure button next to the ssh arguments field in Settings.

2. The remote host has Python 3.7 or later installed in its default search path.

“The code to write to log files in SSH integration has been deleted and will not be publicly released again,” iTerm2 developer George Nachman said in the advisory. 

<iframe src="https://embeds.beehiiv.com/a6407365-5497-4de1-b83b-acb60b1ae802" data-test-id="beehiiv-embed" width="100%" height="320" frameborder="0" style="border-radius: 4px; border: 2px solid #e5e7eb; margin: 0; background-color: transparent;"></iframe>