XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    XSA-468: multiple Windows PV driver vulnerabilities - update now!

    Scheduled Pinned Locked Moved News
    57 Posts 14 Posters 2.0k Views 11 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      flakpyro @dinhngtu
      last edited by

      @dinhngtu here is the output from one of the VMs recently migrated:

      xe vm-param-get uuid=261634d9-b67c-1048-b028-2e33abea6329 param-name=PV-drivers-version
      micro: -1; xennet: XenServer 9.1.7.65 ; xeniface: XenServer 9.1.12.94 ; xenvif: XenServer 9.1.13.107 ; xenvbd: XenServer 9.1.9.82 ; xenbus: XenServer 9.1.11.115 
      
      1 Reply Last reply Reply Quote 1
      • A Offline
        archw @flakpyro
        last edited by

        @flakpyro
        I've found a similar issue with all VMs I update. After I update and reboot, it stays at "Management agent detected" with no version shown.

        Once I reboot a second time, it stays at "Management agent detected" with "Management agent 9.4.1-160 detected"

        C 1 Reply Last reply Reply Quote 0
        • C Offline
          conitrade-as @archw
          last edited by

          @archw I can confirm. That is exactly the behaviour I see with my Windows VMs.

          1 Reply Last reply Reply Quote 0
          • T Offline
            TrapoSAMA
            last edited by

            HI!

            Upgrade Xentools take two reboot for complete! if you have old tools installed isbetter upgrade to 7 and after to 9

            About this last somebody have some issue upgrading windows server 2012R2?

            Thx

            D 1 Reply Last reply Reply Quote 0
            • D Offline
              dinhngtu Vates ๐Ÿช XCP-ng Team @TrapoSAMA
              last edited by

              @TrapoSAMA Windows Server 2012/2012R2 are no longer supported by our (XCP-ng) drivers nor by XenServer drivers.

              T Tristis OrisT 2 Replies Last reply Reply Quote 0
              • T Offline
                TrapoSAMA @dinhngtu
                last edited by

                @dinhngtu

                hi!! normally install Xen drivers not XCP driver yet. Some experience with this issue when install over 2012r2?

                Thx

                1 Reply Last reply Reply Quote 0
                • Tristis OrisT Offline
                  Tristis Oris Top contributor @dinhngtu
                  last edited by

                  @dinhngtu Great. So or forever get that banner about vulnerability, or install new tools=no tools, no migration, no pool upgrade, etc.
                  Need a option "i don't care, hide this host".

                  stormiS 1 Reply Last reply Reply Quote 0
                  • olivierlambertO Offline
                    olivierlambert Vates ๐Ÿช Co-Founder CEO
                    last edited by

                    We will likely have a feature next release with a special tag to ignore it

                    1 Reply Last reply Reply Quote 1
                    • olivierlambertO Offline
                      olivierlambert Vates ๐Ÿช Co-Founder CEO
                      last edited by

                      Ping @lsouai-vates we need to be sure it's planned ๐Ÿ™‚

                      stormiS 1 Reply Last reply Reply Quote 0
                      • stormiS Offline
                        stormi Vates ๐Ÿช XCP-ng Team @Tristis Oris
                        last edited by

                        @Tristis-Oris

                        1. No one said the banner would stay forever. The vulnerability is important enough that for now there's a banner.
                        2. We addressed what is most urgent: patching supported OSes, and making users aware of the vulnerability. The fact that you're annoyed with the banner at least shows it worked.
                        3. We do plan a way to remove the warning for VMs that you would choose.
                        4. @dinhngtu is already evaluating a mitigation script for the bigger vulnerability on unsupported versions of Windows,
                        stormiS 1 Reply Last reply Reply Quote 1
                        • stormiS Offline
                          stormi Vates ๐Ÿช XCP-ng Team @olivierlambert
                          last edited by

                          @olivierlambert As soon as I've created the feature request.

                          Tristis OrisT 1 Reply Last reply Reply Quote 1
                          • Tristis OrisT Offline
                            Tristis Oris Top contributor @stormi
                            last edited by

                            @stormi Nice. Because i got this banner for old VM which is halted for years.
                            What a last supported version for 2012 and how to get it now?

                            D 1 Reply Last reply Reply Quote 0
                            • D Offline
                              dinhngtu Vates ๐Ÿช XCP-ng Team @Tristis Oris
                              last edited by dinhngtu

                              @TrapoSAMA Where did you get the fixed Xen drivers from? Please see my answer below.

                              @Tristis-Oris I don't think there's any fixed drivers out there that works on 2012/2012R2. (Microsoft killed support for that some time ago in their new Windows driver kit, and support for Windows 8 was removed upstream since Nov 2023)

                              Seeing that 2012/2012R2 are still quite popular I'll try to make a mitigation script for those.

                              1 Reply Last reply Reply Quote 0
                              • Tristis OrisT Offline
                                Tristis Oris Top contributor
                                last edited by Tristis Oris

                                it looks we need v9.2.3 for 2012. https://docs.xenserver.com/en-us/xenserver/8/vms/windows/vm-tools.html#923

                                i have old citrix tools 9.3.1, XO detect them.

                                1 Reply Last reply Reply Quote 0
                                • Tristis OrisT Tristis Oris referenced this topic
                                • D Offline
                                  dinhngtu Vates ๐Ÿช XCP-ng Team
                                  last edited by dinhngtu

                                  Hi all,

                                  I've uploaded a version of the mitigation script Install-XSA468Workaround-Win7.ps1 with unofficial support for down to Windows 7/2008R2 and 8/8.1/2012/2012R2.

                                  Reminder: this is purely unofficial support and not tested on all listed OSes yet. The mitigation script itself is meant as a last resort only when you absolutely cannot update; it does not mitigate all vulnerabilities and it does not replace updating your drivers.

                                  @Tristis-Oris @TrapoSAMA

                                  1 Reply Last reply Reply Quote 3
                                  • G Offline
                                    Greg_E
                                    last edited by

                                    Just an FYI,

                                    So far the only 2022 VM I've updated has created new network adapters which defaulted to DHCP, and it has marked the system drive as removeable, which we saw with 2025 almost a year ago.

                                    Make sure to write down your static IP addresses before beginning.

                                    This is from installing Xenserver MA 9.4.1-160

                                    M 1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      manilx @Greg_E
                                      last edited by manilx

                                      @Greg_E From 6 Windows Server 2022 VM's this happened on 3 here.

                                      1 Reply Last reply Reply Quote 0
                                      • stormiS Offline
                                        stormi Vates ๐Ÿช XCP-ng Team
                                        last edited by

                                        Thanks for the feedback. Let's add a notice in the docs, @dinhngtu?

                                        1 Reply Last reply Reply Quote 0
                                        • G Offline
                                          Greg_E
                                          last edited by

                                          Here is some info on setting the disks so that they are no longer removeable, I think the last time I did this I just needed the registry edit to fix it.

                                          https://xcp-ng.org/forum/topic/9987/secondary-virtual-disks-appearing-as-removable-on-windows-11-vms/6?_=1748973746267

                                          I'm kind of stuck waiting to migrate my firewall before I can get back to fixing my VMs. I only have 5 and one of them is not showing the warning. All of them should have been getting updates from the management agent or from Windows Update, not sure why only 4 give the warning.

                                          1 Reply Last reply Reply Quote 0
                                          • A Online
                                            Andrew Top contributor @dinhngtu
                                            last edited by

                                            @dinhngtu @olivierlambert @stormi I think the Windows VM's with old tools should show up in the Dashboard Heath report under "Guest Tools status"...

                                            stormiS 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post