Citrix has released a security bulletin detailing a critical vulnerability (CVE-2024-31497) affecting certain versions of their Citrix Hypervisor virtualization platform.
The issue stems from the inclusion of a vulnerable version of the popular PuTTY SSH client in XenCenter, the management console for Citrix Hypervisor.
Versions of XenCenter for Citrix Hypervisor 8.2 CU1 Long Term Service Release (LTSR) prior to 8.2.6 included PuTTY to enable SSH connections from XenCenter to guest virtual machines.
However, PuTTY versions before 0.81 contained a flaw in generating ECDSA encryption keys using the NIST P-521 curve.
This vulnerability could allow an attacker who controls a guest VM to determine the SSH private key of a XenCenter administrator who uses that key to authenticate to the compromised VM over SSH.
Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
- An exploit of OWASP API Top 10 vulnerability
- A brute force ATO (Account Takeover) attack on API
- A DDoS attack on an API
- Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
Obtaining the private key would enable the attacker to gain unauthorized access to other systems and services using the same key.
The flaw could also enable supply chain attacks if the compromised keys are used for services like Git that host software source code.
In addition to Citrix Hypervisor, the PuTTY vulnerability impacts several other products that bundled the affected versions, including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN.
To mitigate the risk, Citrix has deprecated the inclusion of PuTTY, starting with XenCenter version 8.2.6 for Citrix Hypervisor 8.2 CU1 LTSR. Versions 8.2.7 and later will not include PuTTY.
Customers who wish to continue using the SSH console functionality in XenCenter are advised to update PuTTY to version 0.81 or later.
Citrix emphasized that versions of XenCenter for the newer XenServer 8 hypervisor have never included PuTTY and are not affected[6].
The company recommends that all customers subscribe to alerts for security bulletins and treat any potential vulnerabilities seriously.
The PuTTY vulnerability has been assigned a CVSS severity score of 5.9.
Citrix customers using impacted versions of XenCenter with PuTTY are encouraged to take immediate action by updating PuTTY or removing it if the SSH functionality is not needed.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide