ISN 2023-38: X.org Vulnerabilities

Updated 22 January 2024 (fixed versions)

First published 19 December 2023

CVSS 3.1: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Security vulnerabilities have been discovered in the X.org graphics system used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12

• IGEL OS 11

Details

A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution (RCE) in cases where X11 forwarding is involved. This is tracked as CVE-2023-6377 and rated as high.

Additionally, a specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information (CVE-2023-6478, high).

Mitigation

Remote code execution can be mitigated by disabling X11 forwarding over SSH (see instructions below). However, this does not fix the local threats.

• OS 12: Disable X11 forwarding in Setup under System > Remote Access > SSH Access, if the SSH services is active – by default this service is disabled.

• OS 11: Disable X11 forwarding, see IGEL OS 11.10 > IGEL OS Articles > Security > Securing IGEL OS Endpoints > Configuring Remote Access and Management > Disabling X11 Forwarding.

Update Instructions

• OS 12: Update to OS 12 base system version 12.3.1 (planned for 6 February) or newer.

• OS 11: Update to IGEL OS version 11.09.210 or newer.

References

• CVE-2023-6377: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-6377

• CVE-2023-6478: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6478