← back to shittrixier.moksha.dk
| Event | Response |
|---|---|
| Email to Vates with conditional patch offer (19 upstream fixes) | None |
| LinkedIn DM to Olivier Lambert (CEO, Vates) | None |
| Email to security@vates.tech | None |
| "Someone at XenServer looked at your profile" on LinkedIn | Not Vates. Citrix. |
Olivier received the researcher's outreach, didn't respond, and probably forwarded it to Citrix. Both vendors now have advance notice. The researcher has zero responses.
shittrix.moksha.dk goes live. 89 advisories with evidence logs from live exploitation tests.
Rob Hoes (rob.hoes@citrix.com) creates AND merges PRs within hours:
| PR | Title | CVE | Created (UTC) | Merged (UTC) |
|---|---|---|---|---|
| #7031 | Remove handling of VBD.other_config:backend-local | CVE-2026-23559 | 10:52 | 13:51 |
| #7032 | Do not recognise VM.other_config:is_system_domain | CVE-2026-23560 | 11:42 | 13:51 |
| #7033 | Do not recognise {VM;PBD}.other_config:storage_driver_domain | CVE-2026-23561 | 14:17 | Apr 27 09:06 |
Disclosure at 08:00 CEST (06:00 UTC). First PR created at 10:52 UTC (12:52 CEST) - 4 hours 52 minutes later. First PR merged at 13:51 UTC (15:51 CEST) - 7 hours 51 minutes after disclosure.
89 advisories at 2 minutes each (just to read) = 178 minutes.
Time from disclosure to first PR created = 292 minutes. That leaves 114 minutes for:
Fast. Very fast.
URL: xcp-ng.org/forum/topic/12105
"We are aware of this publication and have reviewed every of its claims over the last days. A few of the reported issues do represent real privilege escalation paths."
"As we don't actively promote or recommend this configuration, we believe very few users are using it."
"Most of the other claims stem from misunderstandings of how XAPI roles are designed to work (~65 of the 89 claims), or describe bugs that don't translate to actual security impact (~15 of them)."
"we received an email just 24 hours before public publication, and the initial contact came with strange conditions."
And when a community member posted the disclosure link, Samuel's first question:
"@[redacted] Where did you find out about this site?"
Andriy Sultanov (last-genius, vates.tech) creates PR #7039 - the map_keys_roles fix for hvm_serial and pci.
Andriy is an experienced XAPI developer with 415 commits to xapi-project since July 2024. He was the right person for this fix - and it shows. Compare the two approaches: Rob deleted code in three quick PRs (the "make it stop" approach). Andriy built a generic, extensible per-key RBAC checker, moved the trie implementation to a shared module, and verified it manually. PR #7039 is proper engineering - the kind that could scale to protect all 89 fields if anyone cared to use it. Rob merged things. Andriy built things.
* Mon Apr 27 2026 Pau Ruiz Safont - 26.1.3-1.9 - Fixes for XSA-489 (CVE-2026-23559, CVE-2026-23560, CVE-2026-23561)
The fixes were backported into the existing XAPI 26.1.3 package (not shipped as 26.1.11). Available via yum update. No security advisory flag.
| Time (UTC) | Event |
|---|---|
| 16:20 | PR #7039 merged |
| 18:05 | XSA-489 v1 published on xen-devel (36 minutes after merge) |
| Same day | XCP-ng blog: patches shipped as "routine maintenance updates" |
| Same day | VSA-2026-011 published - severity: Low |
* Thu Apr 30 2026 Andrii Sultanov - 26.1.3-1.10 - More fixes for XSA-489 (CVE-2026-23562, CVE-2026-42486)
All 5 CVEs claimed fixed via yum update as XAPI 26.1.3-1.10. Backported into the existing package version, not shipped as XAPI 26.1.11.
Full PoC suite run against fully updated XCP-ng 8.3 (XAPI 26.1.3-1.10, the latest available). Results:
| CVE | Finding | Changelog says | PoC says (verified on both targets) |
|---|---|---|---|
| CVE-2026-23559 | BOC-1 (CVSS 9.9) | Fixed in 26.1.3-1.9 | FIXED - key writable but xenopsd ignores it |
| CVE-2026-23560 | VOC-1 | Fixed in 26.1.3-1.9 | FIXED - key writable but VBD bypass blocked |
| CVE-2026-23561 | VOC-2 | Fixed in 26.1.3-1.9 | FIXED - key writable but pbd_of_vm returns None, DoS chain broken |
| CVE-2026-23562 | ARCH-4 | Fixed in 26.1.3-1.10 | Inconclusive - race not tipped under test conditions |
| CVE-2026-42486 | PLAT-6 | Fixed in 26.1.3-1.10 | FIXED - blocked by XAPI |
Rob Hoes wrote the upstream fixes (PRs #7031-#7033). Pau Ruiz Safont backported them as 26.1.3-1.9. The backport works for 3 of 3 CVEs. BOC-1, VOC-1, and VOC-2 exploitation chains are all broken - keys still writable but consuming code removed. Andriy Sultanov's fix (PR #7039, backported as 26.1.3-1.10) works correctly.
The map_keys_roles mechanism - the exact fix applied in XSA-489 - has existed since 2009.
| Year | Who | What | Keys protected |
|---|---|---|---|
| 2009 | Marcus Granado (Citrix) | Added map_keys_roles for pci, folder, XenCenter.CustomFields.* | 3 |
| 2009-2026 | Nobody | Nothing | 3 |
| 2026 | Andriy Sultanov (PR #7039) | Added hvm_serial + pci (platform) after the 89-advisory disclosure was published | 5 |
The mechanism to prevent all 89 vulnerabilities existed for 17 years. It was used for 3 keys - 1 to enforce licensing, 2 for the management GUI. Nobody applied it to any infrastructure field until a researcher published 89 advisories with live exploitation evidence.
The mechanism existed. The pattern was established. Nobody extended it for 17 years. Applying map_keys_roles to infrastructure fields raises a harder question: "why does _override_sm_config bypass all of them?" That question breaks SMAPIv2.
← back to shittrixier.moksha.dk
Jakob Wolffhechel - Moksha - Copenhagen
jakob@wolffhechel.dk
GNA #117 - cna.moksha.dk