Skip to main content
Skip table of contents

ISN 2021-01: IGEL OS Remote Command Execution Vulnerability

Announced 25 February 2021

CVSS 3.1 Score: 9.8 (Critical)

A remote command execution (RCE) vulnerability affects the following IGEL products:

  • IGEL OS 11

  • IGEL OS 10

Details

An external penetration test has found that the TLS connector service used in IGEL OS for secure shadowing and secure terminal is vulnerable to command injection. This vulnerability enables remote command execution in IGEL OS.

Update Instructions

  • IGEL OS 11: Update to IGEL OS 11.04.270 or newer.

  • IGEL OS 11.03.* branch: Update to version 11.03.620 or newer

  • IGEL OS 10: Upgrade to IGEL OS 10.06.220 or newer.

Mitigation

Disable secure shadowing, see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Reference Manual> (11.09.310-en) System > (11.09.310-en) Remote Access > (11.09.310-en) Shadow Settings in IGEL OS. However, it is not advisable to use unencrypted shadowing instead.

Disable secure terminal, see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Reference Manual> (11.09.310-en) System > (11.09.310-en) Remote Access > (11.09.310-en) Secure Terminal.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.