ISN 2020-09: Command Execution from Start Menu
Announced 7 October 2020
Score: High
A local command execution security issue affects the start menu on:
- IGEL OS 11 (11.04.xxx before 11.04.130)
Details
A component update has added a feature to the start menu that lets unprivileged users run any command that the “User” account is allowed to execute. This enables users to break out of the limited user interface, e.g. to start a local terminal or add a session.
Update Instructions
- IGEL OS 11: Update to IGEL OS 11.04.130 or newer.
Mitigation
In IGEL Setup, go to User Interface > Desktop > Start Menu and set Start menu type to "Legacy". This removes command execution.