XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    XSA-468: multiple Windows PV driver vulnerabilities - update now!

    Scheduled Pinned Locked Moved News
    65 Posts 14 Posters 3.9k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stormiS Offline
      stormi Vates ๐Ÿช XCP-ng Team @Tristis Oris
      last edited by

      @Tristis-Oris

      1. No one said the banner would stay forever. The vulnerability is important enough that for now there's a banner.
      2. We addressed what is most urgent: patching supported OSes, and making users aware of the vulnerability. The fact that you're annoyed with the banner at least shows it worked.
      3. We do plan a way to remove the warning for VMs that you would choose.
      4. @dinhngtu is already evaluating a mitigation script for the bigger vulnerability on unsupported versions of Windows,
      stormiS 1 Reply Last reply Reply Quote 1
      • stormiS Offline
        stormi Vates ๐Ÿช XCP-ng Team @olivierlambert
        last edited by

        @olivierlambert As soon as I've created the feature request.

        Tristis OrisT 1 Reply Last reply Reply Quote 1
        • Tristis OrisT Offline
          Tristis Oris Top contributor @stormi
          last edited by

          @stormi Nice. Because i got this banner for old VM which is halted for years.
          What a last supported version for 2012 and how to get it now?

          D 1 Reply Last reply Reply Quote 0
          • D Offline
            dinhngtu Vates ๐Ÿช XCP-ng Team @Tristis Oris
            last edited by dinhngtu

            @TrapoSAMA Where did you get the fixed Xen drivers from? Please see my answer below.

            @Tristis-Oris I don't think there's any fixed drivers out there that works on 2012/2012R2. (Microsoft killed support for that some time ago in their new Windows driver kit, and support for Windows 8 was removed upstream since Nov 2023)

            Seeing that 2012/2012R2 are still quite popular I'll try to make a mitigation script for those.

            1 Reply Last reply Reply Quote 0
            • Tristis OrisT Offline
              Tristis Oris Top contributor
              last edited by Tristis Oris

              it looks we need v9.2.3 for 2012. https://docs.xenserver.com/en-us/xenserver/8/vms/windows/vm-tools.html#923

              i have old citrix tools 9.3.1, XO detect them.

              1 Reply Last reply Reply Quote 0
              • Tristis OrisT Tristis Oris referenced this topic on
              • D Offline
                dinhngtu Vates ๐Ÿช XCP-ng Team
                last edited by dinhngtu

                Hi all,

                I've uploaded a version of the mitigation script Install-XSA468Workaround-Win7.ps1 with unofficial support for down to Windows 7/2008R2 and 8/8.1/2012/2012R2.

                Reminder: this is purely unofficial support and not tested on all listed OSes yet. The mitigation script itself is meant as a last resort only when you absolutely cannot update; it does not mitigate all vulnerabilities and it does not replace updating your drivers.

                @Tristis-Oris @TrapoSAMA

                1 Reply Last reply Reply Quote 3
                • G Offline
                  Greg_E
                  last edited by

                  Just an FYI,

                  So far the only 2022 VM I've updated has created new network adapters which defaulted to DHCP, and it has marked the system drive as removeable, which we saw with 2025 almost a year ago.

                  Make sure to write down your static IP addresses before beginning.

                  This is from installing Xenserver MA 9.4.1-160

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    manilx @Greg_E
                    last edited by manilx

                    @Greg_E From 6 Windows Server 2022 VM's this happened on 3 here.

                    1 Reply Last reply Reply Quote 0
                    • stormiS Offline
                      stormi Vates ๐Ÿช XCP-ng Team
                      last edited by

                      Thanks for the feedback. Let's add a notice in the docs, @dinhngtu?

                      1 Reply Last reply Reply Quote 0
                      • G Offline
                        Greg_E
                        last edited by

                        Here is some info on setting the disks so that they are no longer removeable, I think the last time I did this I just needed the registry edit to fix it.

                        https://xcp-ng.org/forum/topic/9987/secondary-virtual-disks-appearing-as-removable-on-windows-11-vms/6?_=1748973746267

                        I'm kind of stuck waiting to migrate my firewall before I can get back to fixing my VMs. I only have 5 and one of them is not showing the warning. All of them should have been getting updates from the management agent or from Windows Update, not sure why only 4 give the warning.

                        1 Reply Last reply Reply Quote 0
                        • A Offline
                          Andrew Top contributor @dinhngtu
                          last edited by

                          @dinhngtu @olivierlambert @stormi I think the Windows VM's with old tools should show up in the Dashboard Heath report under "Guest Tools status"...

                          stormiS 1 Reply Last reply Reply Quote 0
                          • stormiS Offline
                            stormi Vates ๐Ÿช XCP-ng Team @Andrew
                            last edited by stormi

                            @Andrew I've thought about it and I agree on the principle as there's already a section about guest tools there, but we have put enough pressure on the XO team to make them release the helpful features in time to help users detect vulnerable VMs, on XOA's stable update channel, so it might be wiser to wait for XO6 for such alert to be in a centralized place about guest tools.

                            CC @lsouai-vates

                            1 Reply Last reply Reply Quote 1
                            • stormiS Offline
                              stormi Vates ๐Ÿช XCP-ng Team @stormi
                              last edited by stormi

                              said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:

                              @Tristis-Oris

                              1. We do plan a way to remove the warning for VMs that you would choose.

                              That's now done and will be included in the next update to the latest update channel for XOA. VMs with the HIDE_XSA468 tag will not be included in the vulnerability detection.

                              1 Reply Last reply Reply Quote 1
                              • G Offline
                                Greg_E
                                last edited by

                                Better late than never I guess ๐Ÿค”

                                4 out of 5 of my Server 2022 VMs needed to have the networking set back to manual after the driver update. 5 out of 5 need to have the system drive marked as non-removeable, but I need to move on for a couple other things before swinging back to the system drives.

                                D 1 Reply Last reply Reply Quote 0
                                • D Offline
                                  dinhngtu Vates ๐Ÿช XCP-ng Team @Greg_E
                                  last edited by

                                  @Greg_E Are you moving straight from older Citrix drivers or from XCP-ng drivers? XenClean 9.0.9108 and newer should now keep static IP settings on execution.

                                  G 1 Reply Last reply Reply Quote 0
                                  • G Offline
                                    Greg_E @dinhngtu
                                    last edited by

                                    @dinhngtu

                                    I went from Citrix 9.3.3 to 9.4.1, and generally they have remained manual when I've upgraded. All these VMs started out with 9.2.x so this is probably the fourth update to them.

                                    And all that said, I know the MAC address did not change, because I had a reservation for one of them and it was found properly before putting it back to manual. I think the XCP-ng side of things worked properly (no MAC change), but the driver side was the issue, and nothing you can fix since you don't write this driver.

                                    I probably should have used the cleaner first, but I went straight to the Citrix installer like I've done in the past. Took about an hour to get the 5 VMs updated, now I can move on to other things that have been lacking. I've mentioned it a few times, but this construction has me way behind for the summer, and only a few weeks of work time left before students come back.

                                    1 Reply Last reply Reply Quote 1
                                    • F Offline
                                      flakpyro @archw
                                      last edited by

                                      Not to bring up an old thread but was the issue of the Management agent version not properly being displayed with 9.4.1 after a migration ever figured out?

                                      D G 2 Replies Last reply Reply Quote 0
                                      • D Offline
                                        dinhngtu Vates ๐Ÿช XCP-ng Team @flakpyro
                                        last edited by

                                        @flakpyro It's most likely a bug in the Citrix agent.

                                        1 Reply Last reply Reply Quote 1
                                        • G Offline
                                          Greg_E @flakpyro
                                          last edited by

                                          @flakpyro

                                          The five I updated were all reporting properly as of last week when I looked at it last.

                                          I still haven't fixed the OS drive showing as removable, I'll catch that before the August MS updates and reboot.

                                          T 1 Reply Last reply Reply Quote 0
                                          • T Offline
                                            TrapoSAMA @Greg_E
                                            last edited by

                                            @Greg_E

                                            I see that error only with 2022 server

                                            ๐Ÿ™‚

                                            G 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post