XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    XSA-468: multiple Windows PV driver vulnerabilities - update now!

    Scheduled Pinned Locked Moved News
    60 Posts 14 Posters 3.3k Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      DustinB @dinhngtu
      last edited by

      @dinhngtu said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:

      @DustinB If you're coming from old XenServer tools to new, no need to uninstall.

      Interesting, the alert is still within XOA

      9cf6c8e6-5d08-4469-896b-7e0905730607-image.png ...

      D 1 Reply Last reply Reply Quote 0
      • D Offline
        dinhngtu Vates 🪐 XCP-ng Team @DustinB
        last edited by

        @DustinB Do you have the newest pool updates? The warning depends on that.

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          DustinB @dinhngtu
          last edited by

          @dinhngtu said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:

          @DustinB Do you have the newest pool updates? The warning depends on that.

          I have an open ticket for that.....

          1 Reply Last reply Reply Quote 0
          • C Offline
            conitrade-as @dinhngtu
            last edited by

            @dinhngtu On a Windows 10 VM rebooting alone did not do the trick. After 5 reboots the script still reports vulnerable devices:

            .\Install-XSA468Workaround.ps1 -Scan
            
            Looking for vulnerable XenIface objects
            Found vulnerable object XENBUS\VEN_XSC000&DEV_IFACE\_
            Found vulnerable object XENBUS\VEN_XSC000&DEV_IFACE\_
            
            Looking for vulnerable XenIface WMI GUIDs
            Found vulnerable WMI GUID 1D80EB99-A1D6-4492-B62F-8B4549FF0B5E
            Found vulnerable WMI GUID 12138A69-97B2-49DD-B9DE-54749AABC789
            Found vulnerable WMI GUID AB8136BF-8EA7-420D-ADAD-89C83E587925
            
            Found XenIface vulnerability, it's recommended to run the script
            True
            

            Running .\Install-XSA468Workaround.ps1 works as expected. After another reboot nothing is reported as being vulnerable anymore.

            On a Windows 2019 Server I saw the behaviour you described: Installing the tools and a reboot was enough.

            C D 2 Replies Last reply Reply Quote 0
            • C Offline
              conitrade-as @conitrade-as
              last edited by

              On another Windows 10 host it worked. What was different: I saw the message box "Tools have been installed successfully". May be that makes a difference?

              1 Reply Last reply Reply Quote 0
              • D Offline
                dinhngtu Vates 🪐 XCP-ng Team @conitrade-as
                last edited by dinhngtu

                @conitrade-as I saw that on your Windows 10 VM, the "Manage Citrix PV drivers via Windows Update" option is enabled. That one might have needed a Windows Update to install the fixed drivers. Do you have that option enabled in other VMs?

                C 1 Reply Last reply Reply Quote 0
                • C Offline
                  conitrade-as @dinhngtu
                  last edited by

                  @dinhngtu On the machine where it worked, the option "Manage Citrix PV drivers via Windows Update" was not enabled. Seems that my older BIOS Windows 10 VMs have that option enabled. On all UEFI VMs the options is disabled.

                  As I wanted to go and check that is present in the templates, I realized that the Windows Templates are gone from Xen Orchestra v5.106.4???

                  D 1 Reply Last reply Reply Quote 0
                  • D Offline
                    DustinB @conitrade-as
                    last edited by

                    @conitrade-as said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:

                    As I wanted to go and check that is present in the templates, I realized that the Windows Templates are gone from Xen Orchestra v5.106.4??

                    Can confirm all templates for Windows are missing on 5.107.0 as well.

                    D M pdoniasP 3 Replies Last reply Reply Quote 0
                    • D Offline
                      dinhngtu Vates 🪐 XCP-ng Team @DustinB
                      last edited by dinhngtu

                      @conitrade-as @DustinB Thanks, reported the template issue to XO team.

                      1 Reply Last reply Reply Quote 0
                      • C Offline
                        conitrade-as
                        last edited by conitrade-as

                        Here is another interesting fact: After installing the new tools (v.9.4.1) my static routes in Windows were all gone. ⚠ Definitively a good way to loose connectivity to your domain controller. And that's why you have good monitoring and store things in Ansible et al. ... 🙂

                        D C F 3 Replies Last reply Reply Quote 0
                        • D Offline
                          DustinB @conitrade-as
                          last edited by

                          @conitrade-as said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:

                          Here is another interesting fact: After installing the new tools (v.9.4.1) my static routes in Windows were all gone. ⚠ Definitively a good way to loose connectivity to your domain controller. And that's why you have good monitoring and store things in Ansible et al. ... 🙂

                          Statically assign, but keep your DHCP server with reservations to address these types of issues 🙂

                          C 1 Reply Last reply Reply Quote 0
                          • M Offline
                            manilx @DustinB
                            last edited by

                            @DustinB Did run usr/bin/create-guest-templates but tepmlates are gone here also.

                            D 1 Reply Last reply Reply Quote 0
                            • D Offline
                              DustinB @manilx
                              last edited by

                              @manilx said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:

                              @DustinB Did run usr/bin/create-guest-templates but tepmlates are gone here also.

                              I did not, I'm in the middle of an AV/EDR migration and this way added to the list of things to touch while I was on the systems.

                              To me the templates are a minor inconvenience as we aren't constantly adding VMs.

                              1 Reply Last reply Reply Quote 0
                              • C Offline
                                conitrade-as @DustinB
                                last edited by

                                @DustinB Not IP assignments, I am talking about static routes. See e.g. https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute

                                D 1 Reply Last reply Reply Quote 0
                                • D Offline
                                  DustinB @conitrade-as
                                  last edited by

                                  @conitrade-as said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:

                                  @DustinB Not IP assignments, I am talking about static routes. See e.g. https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute

                                  Okay.... what...

                                  1 Reply Last reply Reply Quote 0
                                  • pdoniasP Offline
                                    pdonias Vates 🪐 XO Team @DustinB
                                    last edited by pdonias

                                    Hi! Regarding the templates issue, we're working on a fix on branch pierre-fix-xsa468-test master. Would anyone having the issue be available to test it?

                                    C 1 Reply Last reply Reply Quote 0
                                    • C Offline
                                      conitrade-as @pdonias
                                      last edited by

                                      @pdonias Sure thing. I can test it in my test environment.

                                      1 Reply Last reply Reply Quote 1
                                      • C Offline
                                        conitrade-as @conitrade-as
                                        last edited by

                                        Just did a couple more tests. Here are my findings:

                                        • Upgrading the tools from v9.3.3 to v9.4.1 does preserve the routing table.
                                        • Upgrading the tools from v9.2.1 to v9.4.1 does not preserve the routing table.

                                        Here are a couple of powershell commands used for testing:

                                        Get-NetRoute -PolicyStore PersistentStore
                                        Get-NetAdapter
                                        New-NetRoute -DestinationPrefix "10.10.0.0/24" -InterfaceIndex <ifIndex> -NextHop 10.10.0.254
                                        
                                        D 1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          dinhngtu Vates 🪐 XCP-ng Team @conitrade-as
                                          last edited by dinhngtu

                                          @conitrade-as This is a known issue when upgrading from XS WinPV 9.3.0 and below: https://support.citrix.com/s/article/CTX235403-updates-to-xenserver-vm-tools-for-windows-for-xenserver-and-citrix-hypervisor

                                          C 1 Reply Last reply Reply Quote 0
                                          • C Offline
                                            conitrade-as @dinhngtu
                                            last edited by

                                            @dinhngtu Thanks for the pointer. Yes, it seems that the root cause also makes routes disappear. Howerver, that the routing information is gone is sadly not mentioned explicitly. May be something to add to your docs as well.

                                            Caution when updating tools: Verify interface IP configuration and routing entries.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post