First published 31 January 2024

CVSS 3.1: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple security vulnerabilities have been found in the X.org display system used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12
  • IGEL OS 11

Details

It has been discovered that the X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs (CVE-2023-6816). This could lead the X server to crash, reveal sensitive information, or allow the execution of arbitrary code. This is rated as high. The server may also handle reattaching to a different master device incorrectly, potentially leading to a crash or code execution (CVE-2024-0229, high).

Mitigation

To prevent these vulnerabilities from being exploited remotely, disable X11 forwarding over SSH (see instructions below). However, this does not defend against local threats.

  • IGEL OS 12: In the Profile Configurator or the Device Configurator, go to System > Remote Access > SSH Access and make sure that Permit X11 forwarding is disabled. By default, this service is disabled. Please note that X 11 forwarding, like the other SSH access settings, is only effective if the Enable parameter is activated.
  • IGEL OS 11: Disable X11 forwarding, see Disabling X11 Forwarding.

Additionally, leave TCP connections for X11 disabled:

  • IGEL OS 12: Leave User Interface > Display Settings > Access Control > Disable TCP connections as it is or reset it to default.
  • IGEL OS 11: Leave User Interface > Display > Access Control > Disable TCP connections as it is or reset it to default.

Update Instructions

  • IGEL OS 12: IGEL is preparing an updated IGEL OS 12 Base System app.
  • IGEL OS 11: IGEL is preparing an updated IGEL OS 11 release.

References