A security vulnerability has been found in OpenSSH, a library for secure access to remote machines like IGEL OS. This affects the following IGEL products:
IGEL OS 12
IGEL OS 11
Details
A signal handler race condition was found in OpenSSH. This could lead to unauthenticated remote code execution. The vulnerability is being tracked as CVE-2024-6387.
Mitigations
OpenSSH server functionality can be disabled by unchecking the profile setting System > Remote Access > SSH Access > Enable. Be aware that this disables SSH access to configured devices entirely.
Alternatively, SSH may be configured to LoginGraceTime = 0 by setting network.ssh_server.login_grace_time to 0 in the Registry. Do notice though that this enables trivial Denial-of-Service (DoS) of SSH connections because only one authentication attempt is accepted at once.
Update Instructions
OS 12: Update to base system version 12.4.2 (expected July 16th)
OS 11: Update to the IGEL OS 11.10.150 (expected July 11th)