CVE-2023-46321
📋 TL;DR
This vulnerability in iTerm2 allows command injection through malicious x-man-page URLs. Attackers can execute arbitrary commands on the system by crafting URLs with shell metacharacters. All iTerm2 users on macOS are affected if using vulnerable versions.
💻 Affected Systems
- iTerm2
📦 What is this software?
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
Iterm2 by Iterm2
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Local privilege escalation or arbitrary command execution when user clicks on a malicious URL in iTerm2.
If Mitigated
Limited impact if proper URL filtering and user education prevent malicious URL execution.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious URL) but the injection mechanism is straightforward once triggered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.0beta12 and later
Vendor Advisory: https://iterm2.com/downloads.html
Restart Required: Yes
Instructions:
1. Download iTerm2 version 3.5.0beta12 or later from https://iterm2.com/downloads.html
2. Install the new version
3. Restart iTerm2 to ensure the patch is active
🔧 Temporary Workarounds
Disable x-man-page URL handling
allPrevent iTerm2 from handling x-man-page URLs by modifying system URL handlers
defaults write com.googlecode.iterm2 DisableURLHandling -bool YES
Use alternative terminal
allTemporarily switch to macOS Terminal or another terminal application
🧯 If You Can't Patch
- Implement strict URL filtering at network perimeter to block malicious x-man-page URLs
- Educate users to avoid clicking on untrusted URLs within iTerm2
🔍 How to Verify
Check if Vulnerable:
Check iTerm2 version in Preferences > General > About. If version is earlier than 3.5.0beta12, you are vulnerable.Check Version:
grep -i version ~/Library/Preferences/com.googlecode.iterm2.plist || echo 'Check in iTerm2 GUI: Preferences > General > About'Verify Fix Applied:
After updating, verify version shows 3.5.0beta12 or later in Preferences > General > About.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from iTerm2
- Suspicious command execution patterns following URL clicks
Network Indicators:
- Outbound connections to unusual destinations following URL interaction
SIEM Query:
process.name:iTerm2 AND process.cmdline:*man* AND process.cmdline:*;* OR process.cmdline:*&* OR process.cmdline:*|*