Citrix has released a security bulletin detailing a critical vulnerability (CVE-2024-31497) in their Citrix Hypervisor platform. This vulnerability arises from the inclusion of a vulnerable version of the PuTTY SSH client in XenCenter, the management console for Citrix Hypervisor. Specifically, versions of XenCenter for Citrix Hypervisor 8.2 CU1 Long Term Service Release (LTSR) prior to 8.2.6 included PuTTY to enable SSH connections from XenCenter to guest virtual machines. However, PuTTY versions before 0.81 contain a flaw in generating ECDSA encryption keys using the NIST P-521 curve.
This vulnerability could allow an attacker controlling a guest VM to determine the SSH private key of a XenCenter administrator who uses that key to authenticate to the compromised VM over SSH. Obtaining the private key would enable the attacker to gain unauthorized access to other systems and services using the same key. Additionally, this flaw could facilitate supply chain attacks if the compromised keys are used for services like Git that host software source code.
To address this issue, Citrix has deprecated the inclusion of PuTTY starting with XenCenter version 8.2.6 for Citrix Hypervisor 8.2 CU1 LTSR. Versions 8.2.7 and later will not include PuTTY. Customers who wish to continue using the SSH console functionality in XenCenter are advised to update PuTTY to version 0.81 or later. Citrix emphasized that versions of XenCenter for the newer XenServer 8 hypervisor have never included PuTTY and are not affected by this vulnerability.
Citrix recommends that all customers subscribe to alerts for security bulletins and treat potential vulnerabilities seriously. The PuTTY vulnerability has been assigned a CVSS severity score of 5.9. Citrix customers using impacted versions of XenCenter with PuTTY are encouraged to take immediate action by updating PuTTY or removing it if the SSH functionality is not needed.
Reference:
