XSA-468: multiple Windows PV driver vulnerabilities - update now!
-
@dinhngtu On a Windows 10 VM rebooting alone did not do the trick. After 5 reboots the script still reports vulnerable devices:
.\Install-XSA468Workaround.ps1 -Scan Looking for vulnerable XenIface objects Found vulnerable object XENBUS\VEN_XSC000&DEV_IFACE\_ Found vulnerable object XENBUS\VEN_XSC000&DEV_IFACE\_ Looking for vulnerable XenIface WMI GUIDs Found vulnerable WMI GUID 1D80EB99-A1D6-4492-B62F-8B4549FF0B5E Found vulnerable WMI GUID 12138A69-97B2-49DD-B9DE-54749AABC789 Found vulnerable WMI GUID AB8136BF-8EA7-420D-ADAD-89C83E587925 Found XenIface vulnerability, it's recommended to run the script TrueRunning
.\Install-XSA468Workaround.ps1works as expected. After another reboot nothing is reported as being vulnerable anymore.On a Windows 2019 Server I saw the behaviour you described: Installing the tools and a reboot was enough.
-
On another Windows 10 host it worked. What was different: I saw the message box "Tools have been installed successfully". May be that makes a difference?
-
@conitrade-as I saw that on your Windows 10 VM, the "Manage Citrix PV drivers via Windows Update" option is enabled. That one might have needed a Windows Update to install the fixed drivers. Do you have that option enabled in other VMs?
-
@dinhngtu On the machine where it worked, the option "Manage Citrix PV drivers via Windows Update" was not enabled. Seems that my older BIOS Windows 10 VMs have that option enabled. On all UEFI VMs the options is disabled.
As I wanted to go and check that is present in the templates, I realized that the Windows Templates are gone from Xen Orchestra v5.106.4???
-
@conitrade-as said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
As I wanted to go and check that is present in the templates, I realized that the Windows Templates are gone from Xen Orchestra v5.106.4??
Can confirm all templates for Windows are missing on 5.107.0 as well.
-
@conitrade-as @DustinB Thanks, reported the template issue to XO team.
-
Here is another interesting fact: After installing the new tools (v.9.4.1) my static routes in Windows were all gone.
Definitively a good way to loose connectivity to your domain controller. And that's why you have good monitoring and store things in Ansible et al. ... 
-
@conitrade-as said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
Here is another interesting fact: After installing the new tools (v.9.4.1) my static routes in Windows were all gone.
Definitively a good way to loose connectivity to your domain controller. And that's why you have good monitoring and store things in Ansible et al. ... Statically assign, but keep your DHCP server with reservations to address these types of issues
-
@DustinB Did run usr/bin/create-guest-templates but tepmlates are gone here also.
-
@manilx said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
@DustinB Did run usr/bin/create-guest-templates but tepmlates are gone here also.
I did not, I'm in the middle of an AV/EDR migration and this way added to the list of things to touch while I was on the systems.
To me the templates are a minor inconvenience as we aren't constantly adding VMs.
-
@DustinB Not IP assignments, I am talking about static routes. See e.g. https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute
-
@conitrade-as said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
@DustinB Not IP assignments, I am talking about static routes. See e.g. https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute
Okay.... what...
-
Hi! Regarding the templates issue, we're working on a fix on branch
pierre-fix-xsa468-testmaster. Would anyone having the issue be available to test it? -
@pdonias Sure thing. I can test it in my test environment.
-
Just did a couple more tests. Here are my findings:
- Upgrading the tools from v9.3.3 to v9.4.1 does preserve the routing table.
- Upgrading the tools from v9.2.1 to v9.4.1 does not preserve the routing table.
Here are a couple of powershell commands used for testing:
Get-NetRoute -PolicyStore PersistentStore Get-NetAdapter New-NetRoute -DestinationPrefix "10.10.0.0/24" -InterfaceIndex <ifIndex> -NextHop 10.10.0.254 -
@conitrade-as This is a known issue when upgrading from XS WinPV 9.3.0 and below: https://support.citrix.com/s/article/CTX235403-updates-to-xenserver-vm-tools-for-windows-for-xenserver-and-citrix-hypervisor
-
@dinhngtu Thanks for the pointer. Yes, it seems that the root cause also makes routes disappear. Howerver, that the routing information is gone is sadly not mentioned explicitly. May be something to add to your docs as well.
Caution when updating tools: Verify interface IP configuration and routing entries.
-
@Forza said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
Hi,
It is not clear to me if the old XCP-ng PV drivers (8.2.2.200-RC1) are affected or not. How should we proceed if they are?
Do others share this feeling and have this question after re-reading the whole announcement?
-
@stormi said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
Do others share this feeling and have this question after re-reading the whole announcement?
No it's pretty clear, update the drivers on everything as all versions are susceptible.
-
One thing i've noticed since upgrading to tools version 9.4.1 is that the version installed will display properly in XOA up until the VM is migrated. After a migration it changed to just "Management agent detected" with no version shown. Not sure if this is an XO issue or an issue with the tools itself?
