Citrix Urges Admins to Manually Address PuTTY SSH Client Vulnerability

May 9, 2024

This week, Citrix has notified its customers about a vulnerability in the PuTTY SSH client that could potentially enable attackers to steal the private SSH key of a XenCenter administrator. XenCenter, a tool used to manage Citrix Hypervisor environments from a Windows desktop including deploying and monitoring virtual machines, is at the center of this security issue.

The vulnerability, identified as CVE-2024-31497, affects multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR. These versions bundle and use PuTTY to establish SSH connections from XenCenter to guest VMs via the 'Open SSH Console' button. Citrix has stated that the PuTTY third-party component has been removed from XenCenter 8.2.6 onwards, and it won't be included in any versions post 8.2.7.

The issue, as Citrix explained in a security advisory released on Wednesday, was reported in versions of PuTTY prior to version 0.81. When used in conjunction with XenCenter, this issue could potentially allow an attacker who has control over a guest VM to determine the SSH private key of a XenCenter administrator. This could happen if the admin uses that key to authenticate to that guest VM while using an SSH connection.

The vulnerability was discovered and reported by Fabian Bäumer and Marcus Brinkmann of Ruhr University Bochum. The flaw, CVE-2024-31497, arises from the way older versions of the Windows-based PuTTY SSH client generate ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 curve used for authentication.

To mitigate this vulnerability, Citrix has advised admins to download the latest version of PuTTY and install it, replacing the version bundled with older XenCenter releases. Citrix further added, 'Customers who do not wish to use the 'Open SSH Console' functionality may remove the PuTTY component completely. Customers who wish to maintain the existing usage of PuTTY should replace the version installed on their XenCenter system with an updated version (with a version number of at least 0.81).'

Previously in January, the Cybersecurity and Infrastructure Security Agency (CISA) directed U.S. federal agencies to patch the CVE-2023-6548 code injection and the CVE-2023-6549 buffer overflow Citrix Netscaler vulnerabilities, a day after Citrix warned that these were actively being exploited as zero-days. Another critical Netscaler flaw, tracked as CVE-2023-4966 and known as Citrix Bleed, was exploited as a zero-day by multiple hacking groups to breach government organizations and high-profile tech companies, like Boeing, before it was patched in October. The Health Sector Cybersecurity Coordination Center (HHS' cybersecurity team) also issued a sector-wide alert to health organizations, warning them to secure NetScaler ADC and NetScaler Gateway instances against increasing ransomware attacks.

Related News

• Citrix Resolves High-Risk Flaw in NetScaler Servers Similar to Past CitrixBleed Vulnerability
• PuTTY SSH Client Vulnerability Allows Recovery of Cryptographic Private Keys
• CISA Mandates Federal Agencies to Address Citrix and Google Chrome Zero-Days Within Set Timeframes
• Citrix Issues Urgent Warning for Two Actively Exploited Zero-Day Vulnerabilities
• Comcast's Xfinity Customer Data Breached in CitrixBleed Exploit

Latest News

• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024
• Google Chrome Rolls Out Emergency Patch for 6th Zero-Day Exploit of 2024
• Apple Backports Security Patches to Older iPhones and iPads Amid Active Exploitation of Zero-Day
• Mirai Botnet Exploits Ivanti Connect Secure Vulnerabilities