Skip to main content
Skip table of contents

ISN 2021-06: IGEL OS OpenSSH Vulnerabilities

Updated 29 October 2021 (alternative mitigation for CVE-2020-15778)

Updated 23 September 2021 (IGEL OS 11.06.100 is now available)

First published 2 August 2021

CVSS 3.1 Base Score: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Three security vulnerabilities in OpenSSH affect the following IGEL products:

  • IGEL OS 11

  • IGEL OS 10

Details

The scp command in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument (CVE-2020-15778). This allows scp users to execute commands on the remote system. Note: The vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." This vulnerability is rated with a CVSS 3.1 Base Score 7.8 (High).

The ssh-agent in OpenSSH before 8.5 has a double free (CVE-2021-28041) that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system (does not apply to IGEL OS), or the forwarding of an agent to an attacker-controlled host. This vulnerability is rated with a CVSS 3.1 Base Score 7.1 (High). Also, the client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation (CVE-2020-14145). This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). Note: Some reports state that 8.5 and 8.6 are also affected. This vulnerability is rated with a CVSS 3.1 Base Score 4.3 (Medium).

Update Instructions

CVE-2021-28041 is fixed in IGEL OS 11.06.100.

There are no updates yet for the other two issues.

Mitigation

  • The first option for CVE-2020-15778: Unless you explicitly need the OpenSSH server on IGEL OS, disable it. It is not needed for the management of IGEL OS endpoints via UMS or ICG.

  1. In IGEL Setup, go to System > Remote Access > SSH Access.

  2. Uncheck the Enable checkbox.

  3. Click Apply.

  4. Reboot the system.

  • The second option for CVE-2020-15778: If you use the ssh server on IGEL OS for executing commands remotely, limit command execution via the ssh and scp commands:

  1. In IGEL Setup, go to System > Remote Access > SSH Access.

  2. Under User access, make sure that user is set to Deny.

  3. Make sure that ruser is not denied access, and use ruser for ssh access.

  4. Under Applications access for remote user ‘ruser’, add a commandline with the full Linux path of the command you want to execute. Do this for every command you want to execute via ssh.

  5. Click Apply.

  6. Reboot the system.

  • For CVE-2020-14145: If you offer an SSH client session to your IGEL OS users, instruct them to check the remote host key fingerprint on the first connect. Supply them with the correct fingerprint for comparison.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.