Citrix notified customers this week to manually mitigate a PuTTY SSH client vulnerability that could allow attackers to steal a XenCenter admin’s private SSH key.
XenCenter helps manage Citrix Hypervisor environments from a Windows desktop, including deploying and monitoring virtual machines.
The security flaw (tracked as CVE-2024-31497) impacts multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which bundle and use PuTTY to make SSH connections from XenCenter to guest VMs when clicking the “Open SSH Console” button.
Citrix says that the PuTTY third-party component has been removed starting with XenCenter 8.2.6, and any versions after 8.2.7 will no longer include it.
“An issue has been reported in versions of PuTTY prior to version 0.81; when used in conjunction with XenCenter, this issue may, in some scenarios, allow an attacker who controls a guest VM to determine the SSH private key of a XenCenter administrator who uses that key to authenticate to that guest VM while using an SSH connection,” Citrix explains in a Wednesday security advisory.
Found and reported by Fabian Bäumer and Marcus Brinkmann of Ruhr University Bochum, CVE-2024-31497 is caused by how older versions of the Windows-based PuTTY SSH client generate ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 curve used for authentication.
The company told admins who want to mitigate the vulnerability to download the latest version of PuTTY and install it in place of the version bundled with older XenCenter releases.
“Customers who do not wish to use the “Open SSH Console” functionality may remove the PuTTY component completely,” Citrix added.
“Customers who wish to maintain the existing usage of PuTTY should replace the version installed on their XenCenter system with an updated version (with a version number of at least 0.81).”
In January, CISA ordered U.S. federal agencies to patch the CVE-2023-6548 code injection and the CVE-2023-6549 buffer overflow Citrix Netscaler vulnerabilities one day after Citrix warned they were actively exploited as zero-days.
Another critical Netscaler flaw (tracked as CVE-2023-4966 and dubbed Citrix Bleed) was exploited as a zero-day by multiple hacking groups to breach government organizations and high-profile tech companies, such as Boeing, before being patched in October.
The Health Sector Cybersecurity Coordination Center (HHS’ cybersecurity team) also warned health organizations in a sector-wide alert to secure NetScaler ADC and NetScaler Gateway instances against surging ransomware attacks.
