Citrix Warns: PuTTY Flaw Exposes XenCenter SSH Keys to Theft

Citrix has issued a warning to its clients regarding the need for manual mitigation of a vulnerability in the SSH client PuTTY, which could allow malicious actors to steal the SSH private key of a XenCenter administrator.

XenCenter is a tool for managing Citrix Hypervisor environments from a Windows desktop, including the deployment and monitoring of virtual machines.

The vulnerability, identified as CVE-2024-31497, affects multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR that utilize PuTTY to establish SSH connections with guest virtual machines when using the “Open SSH Console” feature.

Citrix Endpoint Management Vulnerability

Citrix Systems Inc. / CC BY (https://creativecommons.org/licenses/by/3.0)

Citrix has informed us that the third-party component PuTTY was removed in XenCenter version 8.2.6, and from version 8.2.7 onwards, it will no longer be included in XenCenter.

The issue pertains to versions of PuTTY before 0.81: under certain scenarios, in conjunction with XenCenter, the vulnerability allows an attacker, who controls a guest virtual machine, to deduce the XenCenter administrator’s private SSH key, according to Citrix specialists.

The vulnerability was discovered by Fabian Bömer and Markus Brinkmann from Ruhr University in Bochum. The flaw is attributed to older versions of the Windows-run PuTTY SSH client generating one-time ECDSA numbers (temporary unique cryptographic numbers) for the NIST P-521 curve used for authentication.

To mitigate the vulnerability, Citrix recommends that administrators download the latest version of PuTTY and install it to replace the version included in older XenCenter releases.

Clients who do not require the “Open SSH Console” functionality can completely remove the PuTTY component. Those wishing to continue using PuTTY should replace the installed version in the XenCenter system with an updated one, version number 0.81 or higher.