Skip to main content
Skip table of contents

ISN 2023-14: IGEL OS OpenSSH Vulnerability

Updated 28 August 2023 (OS 11 fix version)

First published 26 July 2023

CVSS 3.1: 7.3 (High)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

A vulnerability has been discovered in OpenSSH, a remote shell used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12
  • IGEL OS 11

Details

It has been found that specific libraries loaded via the PKCS#11 support in the ssh-agent command in OpenSSH could be abused by an attacker to achieve Remote Code Execution (RCE). This vulnerability (CVE-2023-38408) has been rated as high. The exploitation requires the presence of specific libraries on the victim system, and that the agent was forwarded to an attacker-controlled system. This is not done by default in IGEL OS, but customers could do this in a custom command or script.

Mitigation

  • Customers usually do not utilize ssh-agent on IGEL OS.
  • For those that use ssh-agent: According to the OpenSSH project, exploitation can be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries.

Update Instructions

  • OS 12: Update the IGEL OS Base System app to version 12.02.100 (available in September 2023)
  • OS 11: Update to the IGEL OS version 11.08.440.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.