XSA-468: multiple Windows PV driver vulnerabilities - update now!
-
@Forza said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
Hi,
It is not clear to me if the old XCP-ng PV drivers (8.2.2.200-RC1) are affected or not. How should we proceed if they are?
Do others share this feeling and have this question after re-reading the whole announcement?
-
@stormi said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
Do others share this feeling and have this question after re-reading the whole announcement?
No it's pretty clear, update the drivers on everything as all versions are susceptible.
-
One thing i've noticed since upgrading to tools version 9.4.1 is that the version installed will display properly in XOA up until the VM is migrated. After a migration it changed to just "Management agent detected" with no version shown. Not sure if this is an XO issue or an issue with the tools itself?
-
@flakpyro There's also a chance this is a XAPI issue. CC @andriy.sultanov
-
-
@dinhngtu here is the output from one of the VMs recently migrated:
xe vm-param-get uuid=261634d9-b67c-1048-b028-2e33abea6329 param-name=PV-drivers-version micro: -1; xennet: XenServer 9.1.7.65 ; xeniface: XenServer 9.1.12.94 ; xenvif: XenServer 9.1.13.107 ; xenvbd: XenServer 9.1.9.82 ; xenbus: XenServer 9.1.11.115 -
@flakpyro
I've found a similar issue with all VMs I update. After I update and reboot, it stays at "Management agent detected" with no version shown.Once I reboot a second time, it stays at "Management agent detected" with "Management agent 9.4.1-160 detected"
-
@archw I can confirm. That is exactly the behaviour I see with my Windows VMs.
-
HI!
Upgrade Xentools take two reboot for complete! if you have old tools installed isbetter upgrade to 7 and after to 9
About this last somebody have some issue upgrading windows server 2012R2?
Thx
-
@TrapoSAMA Windows Server 2012/2012R2 are no longer supported by our (XCP-ng) drivers nor by XenServer drivers.
-
hi!! normally install Xen drivers not XCP driver yet. Some experience with this issue when install over 2012r2?
Thx
-
@dinhngtu Great. So or forever get that banner about vulnerability, or install new tools=no tools, no migration, no pool upgrade, etc.
Need a option "i don't care, hide this host". -
We will likely have a feature next release with a special tag to ignore it
-
Ping @lsouai-vates we need to be sure it's planned
-
- No one said the banner would stay forever. The vulnerability is important enough that for now there's a banner.
- We addressed what is most urgent: patching supported OSes, and making users aware of the vulnerability. The fact that you're annoyed with the banner at least shows it worked.
- We do plan a way to remove the warning for VMs that you would choose.
- @dinhngtu is already evaluating a mitigation script for the bigger vulnerability on unsupported versions of Windows,
-
@olivierlambert As soon as I've created the feature request.
-
@stormi Nice. Because i got this banner for old VM which is halted for years.
What a last supported version for 2012 and how to get it now? -
@TrapoSAMA Where did you get the fixed Xen drivers from? Please see my answer below.
@Tristis-Oris I don't think there's any fixed drivers out there that works on 2012/2012R2. (Microsoft killed support for that some time ago in their new Windows driver kit, and support for Windows 8 was removed upstream since Nov 2023)
Seeing that 2012/2012R2 are still quite popular I'll try to make a mitigation script for those.
-
it looks we need v9.2.3 for 2012. https://docs.xenserver.com/en-us/xenserver/8/vms/windows/vm-tools.html#923
i have old citrix tools 9.3.1, XO detect them.
-
T Tristis Oris referenced this topic
-
Hi all,
I've uploaded a version of the mitigation script Install-XSA468Workaround-Win7.ps1 with unofficial support for down to Windows 7/2008R2 and 8/8.1/2012/2012R2.
Reminder: this is purely unofficial support and not tested on all listed OSes yet. The mitigation script itself is meant as a last resort only when you absolutely cannot update; it does not mitigate all vulnerabilities and it does not replace updating your drivers.
