Citrix releases update for Citrix Hypervisor to remove vulnerable PuTTY SSH tooling
Take action: This particular risk is most applicable to large hosting companies where the users of the Guest VM may be threat actors. As usual, it's wise to update to latest patched version of the product, but high priority should be for the hosting companies.
Learn More
Citrix has released an update to the Citrix Hypervisor virtualization XenCenter management console, to mitigate the PuTTY CVE-2024-31497 vulnerability.
The vulnerability in Citrix stems from XenCenter's use of an outdated version of the PuTTY SSH client in versions prior to 8.2.6 for Citrix Hypervisor 8.2 CU1 Long Term Service Release (LTSR). Due to the flaw in the way PuTTY has generated ECDSA encryption keys using the NIST P-521 curve, an attacker with control over a guest VM could potentially deduce the SSH private key of a XenCenter administrator. This private key could be used to authenticate to other virtual machines, escalating the scope of an attack.
If the compromised keys are utilized in other services like Git for software source code management, it could lead to broader supply chain attacks.
Affected Products:
- Versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR up to and including 8.2.5.
- Other products utilizing vulnerable PuTTY versions include FileZilla, WinSCP, TortoiseGit, and TortoiseSVN.
Citrix has removed PuTTY starting from XenCenter version 8.2.6 for Citrix Hypervisor 8.2 CU1 LTSR. Users of affected versions are urged to update PuTTY to version 0.81 or later, or to remove it entirely if SSH functionality is not essential.
