CVE-2024-55950 in tabby
Summary
by MITRE • 12/27/2024
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.216, Tabby terminal emulator contains overly permissive entitlements that are unnecessary for its core functionality and plugin system, creating potential security vulnerabilities. The application currently holds powerful permissions including camera, microphone access, and the ability to access personal folders (Downloads, Documents, etc.) through Apple Events, while also maintaining dangerous entitlements that enable code injection. The concerning entitlements are com.apple.security.cs.allow-dyld-environment-variables and com.apple.security.cs.disable-library-validation. Since Tabby's plugins and themes are NodeJS-based without native libraries or frameworks, and no environment variables are used in the codebase, it is recommended to review and remove at least one of the entitlements (com.apple.security.cs.disable-library-validation or com.apple.security.cs.allow-dyld-environment-variables) to prevent DYLD_INSERT_LIBRARIES injection while maintaining full application functionality. This vulnerability is fixed in 1.0.216.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/27/2024
The vulnerability identified as CVE-2024-55950 affects Tabby terminal emulator version 1.0.216 and earlier, representing a critical entitlement misconfiguration issue that exposes the application to potential code injection attacks. This security flaw stems from the application's overly permissive entitlements that grant unnecessary system-level privileges beyond what is required for normal operation. The vulnerability is particularly concerning because it allows the application to access sensitive system resources including camera and microphone capabilities through Apple Events, while simultaneously maintaining dangerous permissions that could enable malicious code execution. The presence of these excessive entitlements creates a significant attack surface that adversaries could exploit to compromise the affected system.
The technical flaw manifests through two primary dangerous entitlements: com.apple.security.cs.allow-dyld-environment-variables and com.apple.security.cs.disable-library-validation. These entitlements collectively enable the application to manipulate dynamic library loading mechanisms and environment variables, creating opportunities for malicious code injection through DYLD_INSERT_LIBRARIES techniques. According to CWE-255, this vulnerability falls under the category of "Credentials Management" and "Privilege Escalation" as the application possesses unnecessary elevated privileges that exceed its operational requirements. The ATT&CK framework classification would place this under T1059.007 for "Command and Scripting Interpreter: JavaScript" and potentially T1546.008 for "Exploitation for Privilege Escalation" given the code injection capabilities. The vulnerability is particularly dangerous because it allows for the loading of arbitrary dynamic libraries at runtime, which could be exploited by attackers to execute malicious code with the privileges of the Tabby application.
The operational impact of this vulnerability extends beyond simple privilege escalation as it creates persistent security risks for users who rely on Tabby for terminal operations. Users who install plugins or themes, which are NodeJS-based and do not require native libraries, are exposed to potential code injection attacks that could compromise their entire system. The vulnerability affects not only the core application but also its plugin ecosystem, which could be exploited to gain unauthorized access to personal folders such as Downloads and Documents through Apple Events. This exposure creates a significant risk for users who may unknowingly install malicious plugins or themes, as the application's excessive entitlements would allow such malicious code to execute with elevated privileges. The attack surface is particularly concerning for enterprise environments where terminal emulators are commonly used for administrative tasks and system management.
Mitigation strategies for this vulnerability should focus on entitlement review and removal of unnecessary permissions. The recommended approach involves removing either com.apple.security.cs.disable-library-validation or com.apple.security.cs.allow-dyld-environment-variables from the application's entitlements plist file, as both entitlements are unnecessary for Tabby's NodeJS-based plugin and theme system. This aligns with the principle of least privilege and follows Apple's security guidelines for application sandboxing. Organizations should immediately update to Tabby version 1.0.216 or later, which addresses this vulnerability through proper entitlement management. Additionally, security teams should conduct regular entitlement audits for all applications to ensure that unnecessary permissions are not granted. The fix implemented in version 1.0.216 demonstrates proper security hardening by eliminating the dangerous entitlements while maintaining full application functionality, as confirmed by the application's plugin system operating correctly without native library dependencies. This vulnerability serves as a reminder of the importance of regular security reviews and proper application sandboxing practices in preventing privilege escalation attacks.