Skip to main content
Skip table of contents

ISN 2023-38: X.org Vulnerabilities

Updated 22 January 2024 (fixed versions)

First published 19 December 2023

CVSS 3.1: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Security vulnerabilities have been discovered in the X.org graphics system used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12

  • IGEL OS 11

Details

A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution (RCE) in cases where X11 forwarding is involved. This is tracked as CVE-2023-6377 and rated as high.

Additionally, a specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information (CVE-2023-6478, high).

Mitigation

Remote code execution can be mitigated by disabling X11 forwarding over SSH (see instructions below). However, this does not fix the local threats.

  • OS 12: Disable X11 forwarding in Setup under System > Remote Access > SSH Access, if the SSH services is active – by default this service is disabled.

  • OS 11: Disable X11 forwarding, see IGEL OS 11.10 > IGEL OS Articles > Security > Securing IGEL OS Endpoints > Configuring Remote Access and Management > Disabling X11 Forwarding.

Update Instructions

  • OS 12: Update to OS 12 base system version 12.3.1 (planned for 6 February) or newer.

  • OS 11: Update to IGEL OS version 11.09.210 or newer.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.