How do virtual machines come under the control of cybercriminals?
Citrix sent a warning to its customers about the need to manually mitigate the consequences of a vulnerability in the PuTTY SSH client that could allow attackers to steal the XenCenter administrator's private SSH key.
XenCenter is a tool for managing Citrix Hypervisor environments from the Windows desktop, including deploying and monitoring virtual machines.
The vulnerability, registered under the identifier CVE-2024-31497, concerns several versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which use PuTTY to create SSH connections to guest VMs when using the "Open SSH Console" function.
Citrix reports that the third-party PuTTY component was removed in XenCenter version 8.2.6, and starting from 8.2.7, it will never be delivered as part of XenCenter.
The problem is related to PuTTY versions prior to 0.81: in certain scenarios, in combination with XenCenter, the vulnerability allows an attacker controlling the guest VM to determine the private SSH key of the XenCenter administrator, Citrix experts explain.
The vulnerability was discovered by Fabian Boehmer and Markus Brinkmann of Ruhr University Bochum. The disadvantage is justified by the fact that older versions of the PuTTY SSH client running on Windows generate one-time ECDSA numbers (temporary unique cryptographic numbers) for the NIST P-521 curve used for authentication.
To fix the vulnerability, Citrix recommends that administrators download the latest version of PuTTY and install it instead of the version included in older XenCenter releases.
Clients who do not require the "Open SSH Console" functionality can completely remove the PuTTY component. And those who want to continue using PuTTY should replace the installed version in the XenCenter system with an updated version with a version number of at least 0.81.
Citrix sent a warning to its customers about the need to manually mitigate the consequences of a vulnerability in the PuTTY SSH client that could allow attackers to steal the XenCenter administrator's private SSH key.
XenCenter is a tool for managing Citrix Hypervisor environments from the Windows desktop, including deploying and monitoring virtual machines.
The vulnerability, registered under the identifier CVE-2024-31497, concerns several versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which use PuTTY to create SSH connections to guest VMs when using the "Open SSH Console" function.
Citrix reports that the third-party PuTTY component was removed in XenCenter version 8.2.6, and starting from 8.2.7, it will never be delivered as part of XenCenter.
The problem is related to PuTTY versions prior to 0.81: in certain scenarios, in combination with XenCenter, the vulnerability allows an attacker controlling the guest VM to determine the private SSH key of the XenCenter administrator, Citrix experts explain.
The vulnerability was discovered by Fabian Boehmer and Markus Brinkmann of Ruhr University Bochum. The disadvantage is justified by the fact that older versions of the PuTTY SSH client running on Windows generate one-time ECDSA numbers (temporary unique cryptographic numbers) for the NIST P-521 curve used for authentication.
To fix the vulnerability, Citrix recommends that administrators download the latest version of PuTTY and install it instead of the version included in older XenCenter releases.
Clients who do not require the "Open SSH Console" functionality can completely remove the PuTTY component. And those who want to continue using PuTTY should replace the installed version in the XenCenter system with an updated version with a version number of at least 0.81.
