XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Home
    2. Rod G
    3. Best
    R
    Offline
    • Profile
    • Following 1
    • Followers 0
    • Topics 1
    • Posts 8
    • Groups 0

    Posts

    Recent Best Controversial
    • RE: XOA vulnerabilty to "copy fail" and "dirty frag" bug

      Quick update now that Vates has published their official advisory.

      First, kudos to the Vates security team for the thorough and timely response. VSA-2026-014 is well-documented and covers the full picture, including a third CVE I had not covered in my earlier posts.

      VSA-2026-014 confirms what I outlined above: XCP-ng is affected by CVE-2026-43284 (XFRM-ESP) and is NOT affected by CVE-2026-43500 (no RxRPC support). The CVE I had missed: CVE-2026-46300 ("Fragnesia") also affects XCP-ng via the XFRM ESP-in-TCP subsystem. The same esp4/esp6 blacklist mitigation applies, with the same caveat @semarie raised: it will break encrypted private networks on XCP-ng.

      Now that the VSA and official mitigation guidance are public, I'm releasing the diagnostic script I built. It's Python 3.6, no external dependencies, safe to run on production dom0. It tests whether an unprivileged process can engage the esp4 engine via the XFRM interface inside a user namespace β€” without touching any exploit code. Since both CVE-2026-43284 and CVE-2026-46300 (Fragnesia) require esp4 or esp6 to be reachable from an unprivileged namespace, and share the same mitigation, a positive result confirms exposure to both. Blacklist esp4/esp6, then run the script again β€” ACCESS DENIED means both CVEs are mitigated.

      One important note before running it: please read the code before executing it on any of your systems. This is good practice with any script from the internet, regardless of the source. The code is intentionally short and straightforward so you can review it quickly and satisfy yourself that it does exactly what it says.

      πŸ”— VSA-2026-014: https://docs.vates.tech/security/advisories/2026/vates-sa-2026-014/
      πŸ”— Diagnostic tool: https://github.com/grabesec/XCP_ng_CVE-2026-43284_tester

      A kernel patch from Vates is in progress. Apply as soon as it lands.

      posted in XCP-ng
      R
      Rod G
    • RE: cifs-utils LPE (CVE-2026-46243) / 8.3 dom0 vulnerability inquiry

      Just a quick update for anyone following this threadβ€”I decided to test this out on my end to verify the impact.

      After installing gcc in Dom0 and making a few necessary tweaks to the PoC code, I was able to successfully compile and run it. I managed to gain root access starting from a standard, unprivileged account. Based on this, I can confirm that a fully patched XCP-ng 8.3 system is indeed vulnerable to this attack.

      However, I want to strongly emphasize a key point about the threat model here so we keep the risk in perspective: this is strictly a Local Privilege Escalation (LPE) vulnerability. An attacker cannot just trigger this remotely. To exploit this, someone absolutely must already have a provisioned account with access to your Dom0. If you are following best practices and strictly controlling who (and what) has shell access to Dom0, your immediate, real-world risk is significantly mitigated.

      Hopefully, this helps clarify the exposure for everyone while we wait for an official patch upstream.

      posted in XCP-ng
      R
      Rod G