Security vulnerabilities have been discovered in the X.org graphics system used in IGEL OS. This affects the following IGEL products:
IGEL OS 12
IGEL OS 11
Details
A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution (RCE) in cases where X11 forwarding is involved. This is tracked as CVE-2023-6377 and rated as high.
Additionally, a specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information (CVE-2023-6478, high).
Mitigation
Remote code execution can be mitigated by disabling X11 forwarding over SSH (see instructions below). However, this does not fix the local threats.
OS 12: Disable X11 forwarding in Setup under System > Remote Access > SSH Access, if the SSH services is active – by default this service is disabled.