Skip to main content
Skip table of contents

ISN 2024-02: X.org Vulnerabilities

First published 31 January 2024

CVSS 3.1: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple security vulnerabilities have been found in the X.org display system used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12

  • IGEL OS 11

Details

It has been discovered that the X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs (CVE-2023-6816). This could lead the X server to crash, reveal sensitive information, or allow the execution of arbitrary code. This is rated as high. The server may also handle reattaching to a different master device incorrectly, potentially leading to a crash or code execution (CVE-2024-0229, high).

Mitigation

To prevent these vulnerabilities from being exploited remotely, disable X11 forwarding over SSH (see instructions below). However, this does not defend against local threats.

  • IGEL OS 12: In the Profile Configurator or the Device Configurator, go to System > Remote Access > SSH Access and make sure that Permit X11 forwarding is disabled. By default, this service is disabled. Please note that X 11 forwarding, like the other SSH access settings, is only effective if the Enable parameter is activated.

  • IGEL OS 11: Disable X11 forwarding, see IGEL OS 11.10 > IGEL OS Articles > Security > Securing IGEL OS Endpoints > Configuring Remote Access and Management > Disabling X11 Forwarding.

Additionally, leave TCP connections for X11 disabled:

  • IGEL OS 12: Leave User Interface > Display Settings > Access Control > Disable TCP connections as it is or reset it to default.

  • IGEL OS 11: Leave User Interface > Display > Access Control > Disable TCP connections as it is or reset it to default.

Update Instructions

  • IGEL OS 12: IGEL is preparing an updated IGEL OS 12 Base System app.

  • IGEL OS 11: IGEL is preparing an updated IGEL OS 11 release.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close