Citrix Urges Admins to Manually Address PuTTY SSH Client Vulnerability

May 9, 2024

This week, Citrix has notified its customers about a vulnerability in the PuTTY SSH client that could potentially enable attackers to steal the private SSH key of a XenCenter administrator. XenCenter, a tool used to manage Citrix Hypervisor environments from a Windows desktop including deploying and monitoring virtual machines, is at the center of this security issue.

The vulnerability, identified as CVE-2024-31497, affects multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR. These versions bundle and use PuTTY to establish SSH connections from XenCenter to guest VMs via the 'Open SSH Console' button. Citrix has stated that the PuTTY third-party component has been removed from XenCenter 8.2.6 onwards, and it won't be included in any versions post 8.2.7.

The issue, as Citrix explained in a security advisory released on Wednesday, was reported in versions of PuTTY prior to version 0.81. When used in conjunction with XenCenter, this issue could potentially allow an attacker who has control over a guest VM to determine the SSH private key of a XenCenter administrator. This could happen if the admin uses that key to authenticate to that guest VM while using an SSH connection.

The vulnerability was discovered and reported by Fabian Bäumer and Marcus Brinkmann of Ruhr University Bochum. The flaw, CVE-2024-31497, arises from the way older versions of the Windows-based PuTTY SSH client generate ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 curve used for authentication.

To mitigate this vulnerability, Citrix has advised admins to download the latest version of PuTTY and install it, replacing the version bundled with older XenCenter releases. Citrix further added, 'Customers who do not wish to use the 'Open SSH Console' functionality may remove the PuTTY component completely. Customers who wish to maintain the existing usage of PuTTY should replace the version installed on their XenCenter system with an updated version (with a version number of at least 0.81).'

Previously in January, the Cybersecurity and Infrastructure Security Agency (CISA) directed U.S. federal agencies to patch the CVE-2023-6548 code injection and the CVE-2023-6549 buffer overflow Citrix Netscaler vulnerabilities, a day after Citrix warned that these were actively being exploited as zero-days. Another critical Netscaler flaw, tracked as CVE-2023-4966 and known as Citrix Bleed, was exploited as a zero-day by multiple hacking groups to breach government organizations and high-profile tech companies, like Boeing, before it was patched in October. The Health Sector Cybersecurity Coordination Center (HHS' cybersecurity team) also issued a sector-wide alert to health organizations, warning them to secure NetScaler ADC and NetScaler Gateway instances against increasing ransomware attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.