Skip to main content
Skip table of contents

ISN 2020-09: Command Execution from Start Menu

Announced 7 October 2020

Score: High

A local command execution security issue affects the start menu on:

  • IGEL OS 11 (11.04.xxx before 11.04.130)

Details

A component update has added a feature to the start menu that lets unprivileged users run any command that the “User” account is allowed to execute. This enables users to break out of the limited user interface, e.g. to start a local terminal or add a session.

Update Instructions

  • IGEL OS 11: Update to IGEL OS 11.04.130 or newer.

Mitigation

In IGEL Setup, go to User Interface > Desktop > Start Menu and set Start menu type to "Legacy". This removes command execution.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.