A security vulnerability has been discovered in secure shell (SSH), which is used in IGEL OS. This affects the following IGEL products:
IGEL OS 12
IGEL OS 11
Details
A vulnerability has been found in the SSH protocol that weakens the secure channel, so that messages could be removed during transmission.
However, an attack is only possible if the attacker can man-in-the-middle the SSH traffic and if the connection uses either ChaCha20-Poly1305 or a CBC cipher with Encrypt-then-MAC (CVE-2023-48795). This is why this vulnerability is rated as medium.
It affects the OpenSSH server as well as the client.
Mitigation
OS 12
The OpenSSH server in OS 12 is not activated by default. SSH is not necessary for managing IGEL OS, so unless you have another use case you can leave it deactivated.
If you use OS 12 base system version 12.3.1, you have the latest OpenSSH 9.6p1. When you use this version or newer on the peer, they will automatically use the new "strict KEX" protocol extension.
OS 11
The OpenSSH server in OS 11 is active by default, but SSH is not necessary for managing IGEL OS. Unless you have another use case, deactivate it.
If you use IGEL OS 11.09.210, you have the latest OpenSSH 9.6p1. When you use this version or newer on the peer, they will automatically use the new "strict KEX" protocol extension.
Update Instructions
OS 12: Update to OS 12 base system version 12.3.1 or newer, which has OpenSSH version 9.6p1.
OS 11: Update to IGEL OS version 11.09.210 or newer, which has OpenSSH version 9.6p1.