Hi.
We are aware of this publication and have reviewed every of its claims over the last days.
A few of the reported issues do represent real privilege escalation paths. However, they rely on XAPI’s advanced RBAC roles feature, which is not enabled or exposed by default in Xen Orchestra, XO Lite, or any of our standard documentation. In practice, the escalation path requires a specific setup: an XCP-ng pool connected to Active Directory for its user management, where a user is given access to the management network and is explicitly granted VM configuration rights (vm-admin XAPI role) via XAPI roles. Such a user could gain elevated host-level privileges beyond what was intended.
As we don't actively promote or recommend this configuration, we believe very few users are using it. For the small group that might be, patched packages are in the testing phase, and we will release them shortly.
CVEs are being assigned by the Xen Project (which is the parent project of the XAPI Project) to the vulnerabilities, all requiring this vm-admin XAPI role.
Most of the other claims stem from misunderstandings of how XAPI roles are designed to work (~65 of the 89 claims), or describe bugs that don’t translate to actual security impact (~15 of them).
On the disclosure process: we always appreciate coordinated security research, but responsible disclosure typically involves a reasonable grace period (often two weeks or more) to allow time for review, patching, and coordinated release. In this case, we received an email just 24 hours before public publication, and the initial contact came with strange conditions. That doesn’t align with standard responsible disclosure practices.
Note: This is not intended as an official statement. I have a clear view of the security impact, but since this is an informal, unfiltered write-up, please pardon any minor mistakes in how I’ve reported it.
