ISN 2021-01: IGEL OS Remote Command Execution Vulnerability

Announced 25 February 2021

CVSS 3.1 Score: 9.8 (Critical)

A remote command execution (RCE) vulnerability affects the following IGEL products:

IGEL OS 11
IGEL OS 10

Details

An external penetration test has found that the TLS connector service used in IGEL OS for secure shadowing and secure terminal is vulnerable to command injection. This vulnerability enables remote command execution in IGEL OS.

Update Instructions

IGEL OS 11: Update to IGEL OS 11.04.270 or newer.
IGEL OS 11.03.* branch: Update to version 11.03.620 or newer
IGEL OS 10: Upgrade to IGEL OS 10.06.220 or newer.

Mitigation

Disable secure shadowing, see Shadow. However, it is not advisable to use unencrypted shadowing instead.

Disable secure terminal, see Secure Terminal.

Download PDF

ISN 2021-01: IGEL OS Remote Command Execution Vulnerability

Details

Update Instructions

Mitigation

Cookie Notice