1 min

Tags in this article

, , ,

Admins must manually mitigate a vulnerability in the PuTTY SSH client. Citrix warns that attackers can steal a private SSH key if no mitigation takes place.

The vulnerability CVE-2024-31497 is in XenCenter for Citrix Hypervisor 8.2 CU1 LTSR. The vulnerable third-party component is no longer present as of version 8.2.6. Earlier versions of PuTTY than 0.81 make it possible in some cases for an attacker to obtain a private SSH key from the admin via an acquired guest VM.

XenCenter allows Citrix Hypervisor to be controlled from Windows. PuTTY is thereby used to securely connect to a remote machine. If the temporary cryptographic numbers are not completely randomly generated, an attacker can intercept the key.

Advice

Those who do not use the Open SSH Console functionality can remove PuTTY altogether. Every version of Citrix Hypervisor from now on will not include PuTTY. Those who want to be protected but do not want to get rid of PuTTY can update the pre-installed version within XenCenter separately. In doing so, the version must be at least 0.81.

Citrix is thus patching away the problem itself by moving away from PuTTY entirely. XenCenter for XenServer 8, meanwhile, never used PuTTY.

Also read: Citrix issues Threat Advisory on DDoS attacks