Security News > 2024 > May > Citrix warns admins to manually mitigate PuTTY SSH client bug
Citrix notified customers this week to manually mitigate a PuTTY SSH client vulnerability that could allow attackers to steal a XenCenter admin's private SSH key.
The security flaw impacts multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which bundle and use PuTTY to make SSH connections from XenCenter to guest VMs when clicking the "Open SSH Console" button.
"An issue has been reported in versions of PuTTY prior to version 0.81; when used in conjunction with XenCenter, this issue may, in some scenarios, allow an attacker who controls a guest VM to determine the SSH private key of a XenCenter administrator who uses that key to authenticate to that guest VM while using an SSH connection," Citrix explains in a Wednesday security advisory.
The company told admins who want to mitigate the vulnerability to download the latest version of PuTTY and install it in place of the version bundled with older XenCenter releases.
"Customers who do not wish to use the"Open SSH Console" functionality may remove the PuTTY component completely," Citrix added.
PuTTY SSH client flaw allows recovery of cryptographic private keys.