iTerm2 < 3.3.6 RCE (macOS)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(278761);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/24");

  script_cve_id("CVE-2019-9535");

  script_name(english:"iTerm2 < 3.3.6 RCE (macOS)");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote macOS host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of iTerm2 installed on the remote host is prior to 3.3.6. It is, therefore, affected by
a vulnerability:

  - A vulnerability exists in the way that iTerm2 integrates with tmux's control mode, which may allow 
    an attacker to execute arbitrary commands by providing malicious output to the terminal. This 
    vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by 
    providing malicious output to the terminal. It could be exploited using command-line utilities 
    that print attacker-controlled content. (CVE-2019-9535)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://iterm2.com/news.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to iTerm2 version 3.3.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9535");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:iterm2:iterm2");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("iterm2_macos_installed.nbin");
  script_require_keys("installed_sw/iTerm2", "Host/MacOSX/Version");

  exit(0);
}

include ('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'iTerm2', 'type': 'app'},
      'requires': [ {'scope': 'target', 'match': {'os': 'macos' } } ],
      'check_algorithm': 'default',
      'constraints': [
        {
          'fixed_version': '3.3.6'
        }
      ]
    }
  ]
};

var result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_HOLE);
vdf::handle_check_and_report_errors(vdf_result:result);