XSA-468: multiple Windows PV driver vulnerabilities - update now!
-
@TrapoSAMA Windows Server 2012/2012R2 are no longer supported by our (XCP-ng) drivers nor by XenServer drivers.
-
hi!! normally install Xen drivers not XCP driver yet. Some experience with this issue when install over 2012r2?
Thx
-
@dinhngtu Great. So or forever get that banner about vulnerability, or install new tools=no tools, no migration, no pool upgrade, etc.
Need a option "i don't care, hide this host". -
We will likely have a feature next release with a special tag to ignore it
-
Ping @lsouai-vates we need to be sure it's planned
-
- No one said the banner would stay forever. The vulnerability is important enough that for now there's a banner.
- We addressed what is most urgent: patching supported OSes, and making users aware of the vulnerability. The fact that you're annoyed with the banner at least shows it worked.
- We do plan a way to remove the warning for VMs that you would choose.
- @dinhngtu is already evaluating a mitigation script for the bigger vulnerability on unsupported versions of Windows,
-
@olivierlambert As soon as I've created the feature request.
-
@stormi Nice. Because i got this banner for old VM which is halted for years.
What a last supported version for 2012 and how to get it now? -
@TrapoSAMA Where did you get the fixed Xen drivers from? Please see my answer below.
@Tristis-Oris I don't think there's any fixed drivers out there that works on 2012/2012R2. (Microsoft killed support for that some time ago in their new Windows driver kit, and support for Windows 8 was removed upstream since Nov 2023)
Seeing that 2012/2012R2 are still quite popular I'll try to make a mitigation script for those.
-
it looks we need v9.2.3 for 2012. https://docs.xenserver.com/en-us/xenserver/8/vms/windows/vm-tools.html#923
i have old citrix tools 9.3.1, XO detect them.
-
T Tristis Oris referenced this topic
-
Hi all,
I've uploaded a version of the mitigation script Install-XSA468Workaround-Win7.ps1 with unofficial support for down to Windows 7/2008R2 and 8/8.1/2012/2012R2.
Reminder: this is purely unofficial support and not tested on all listed OSes yet. The mitigation script itself is meant as a last resort only when you absolutely cannot update; it does not mitigate all vulnerabilities and it does not replace updating your drivers.
-
Just an FYI,
So far the only 2022 VM I've updated has created new network adapters which defaulted to DHCP, and it has marked the system drive as removeable, which we saw with 2025 almost a year ago.
Make sure to write down your static IP addresses before beginning.
This is from installing Xenserver MA 9.4.1-160
-
@Greg_E From 6 Windows Server 2022 VM's this happened on 3 here.
-
Thanks for the feedback. Let's add a notice in the docs, @dinhngtu?
-
Here is some info on setting the disks so that they are no longer removeable, I think the last time I did this I just needed the registry edit to fix it.
I'm kind of stuck waiting to migrate my firewall before I can get back to fixing my VMs. I only have 5 and one of them is not showing the warning. All of them should have been getting updates from the management agent or from Windows Update, not sure why only 4 give the warning.
-
@dinhngtu @olivierlambert @stormi I think the Windows VM's with old tools should show up in the Dashboard Heath report under "Guest Tools status"...
-
@Andrew I've thought about it and I agree on the principle as there's already a section about guest tools there, but we have put enough pressure on the XO team to make them release the helpful features in time to help users detect vulnerable VMs, on XOA's
stableupdate channel, so it might be wiser to wait for XO6 for such alert to be in a centralized place about guest tools. -
said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
- We do plan a way to remove the warning for VMs that you would choose.
That's now done and will be included in the next update to the
latestupdate channel for XOA. VMs with theHIDE_XSA468tag will not be included in the vulnerability detection.
