Updated 28 August 2023 (OS 11 fix version)

First published 26 July 2023

CVSS 3.1: 7.3 (High)



A vulnerability has been discovered in OpenSSH, a remote shell used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12
  • IGEL OS 11


It has been found that specific libraries loaded via the PKCS#11 support in the ssh-agent command in OpenSSH could be abused by an attacker to achieve Remote Code Execution (RCE). This vulnerability (CVE-2023-38408) has been rated as high. The exploitation requires the presence of specific libraries on the victim system, and that the agent was forwarded to an attacker-controlled system. This is not done by default in IGEL OS, but customers could do this in a custom command or script.


  • Customers usually do not utilize ssh-agent on IGEL OS.
  • For those that use ssh-agent: According to the OpenSSH project, exploitation can be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries.

Update Instructions

  • OS 12: Update the IGEL OS Base System app to version 12.02.100 (available in September 2023)
  • OS 11: Update to the IGEL OS version 11.08.440.