Friday, May 10, 2024

Citrix Urges SSH PuTTY Users to Address Hacking Manually


 Citrix advised customers this week to manually address a vulnerability in the PuTTY SSH client that could allow attackers to steal XenCenter administrator's private SSH keys.

XenCenter assists in managing the Citrix Hypervisor environment from Windows desktops, including deploying and monitoring virtual machines.

The security vulnerability (identified as CVE-2024-31497) affects several versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which include and utilize PuTTY to establish SSH connections from XenCenter to guest VMs when clicking the "Open SSH Console" button.

PuTTY is a third-party component that has been removed by Citrix starting from XenCenter 8.2.6, and any versions after 8.2.7 will no longer include it.

"The issue was reported in versions of PuTTY before version 0.81; when used in conjunction with XenCenter, this issue may, in some scenarios, allow an attacker controlling the guest VM to determine the SSH private key of a XenCenter administrator who uses that key to authenticate to the guest VM when using an SSH connection," Citrix explained in Wednesday's security advisory.

CVE-2024-31497 was discovered and reported by Fabian Bäumer and Marcus Brinkmann from Ruhr University Bochum, caused by how older versions of the Windows-based PuTTY SSH client generate ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 curve used for authentication.

The company informed admins looking to address the vulnerability to download the latest PuTTY version and install it as a replacement for the version bundled with older XenCenter releases.

"Customers who do not wish to use the 'Open SSH Console' functionality may remove the PuTTY component entirely," Citrix added.

"Customers who wish to maintain the use of existing PuTTY should replace the version installed on their XenCenter systems with an updated version (with a version number of at least 0.81)."

In January, CISA directed US federal agencies to fix code injection vulnerabilities CVE-2023-6548 and CVE-2023-6549 buffer overflow after Citrix warned that they were actively exploited as zero-days.

Another critical Netscaler vulnerability (identified as CVE-2023-4966 and dubbed Citrix Bleed) was exploited as a zero-day by multiple hacker groups to breach government organizations and leading technology companies, such as Boeing, before being patched in October.

The Health Sector Cybersecurity Coordination Center (HHS cybersecurity team) also cautioned healthcare organizations in a sector warning to secure NetScaler ADC and NetScaler Gateway instances against increasing ransomware attacks.

via emka.web.id

0 comments:

Post a Comment