Admins must themselves combat a vulnerability in the PuTTY SSH client. Citrix warns that attackers can steal a private SSH key if no mitigation takes place.
CVE-2024-31497 vulnerability exists in XenCenter for Citrix Hypervisor 8.2 CU1 LTSR. The vulnerable third-party component is no longer present from version 8.2.6. Versions of PuTTY earlier than 0.81 make it possible in some cases for an attacker to obtain a private SSH key from the admin via a compromised guest VM.
XenCenter makes it possible to control Citrix Hypervisor from Windows. PuTTY is used to connect securely to a remote machine. If the temporary cryptographic numbers are not completely randomly generated, an attacker can intercept the key.
Advice
Those who do not use the Open SSH Console functionality can uninstall PuTTY entirely. Any version of Citrix Hypervisor will now not include PuTTY. Those who want to be protected but do not want to get rid of PuTTY can update the pre-installed version within XenCenter separately. The version must therefore be at least 0.81.
Citrix patches the problem itself by abandoning PuTTY entirely. XenCenter for XenServer 8, meanwhile, never used PuTTY.
Also read: Citrix makes patches available for critical vulnerabilities
