A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can bypass network locality checks by setting assume_network_is_shared=true in Network.other_config. The key is checked at xapi_network_attach_helpers.ml:132-133. When set, XAPI treats the network as shared across all hosts regardless of actual PIF connectivity. This allows VMs to be started on hosts that do not have physical connectivity to the network, causing VIF attachment failures or connectivity loss after VM start. The bypass subverts VM placement safety checks that prevent starting VMs on hosts without the required network infrastructure. The Network.other_config field has no map_keys_roles entries for infrastructure keys.
Network.other_config is a Map(String, String) field defined at datamodel.ml:1998-2007 with ~writer_roles:_R_POOL_OP.
The network sharing check at xapi_network_attach_helpers.ml:130-139:
let assume_network_is_shared ~__context ~network =
let oc = Db.Network.get_other_config ~__context ~self:network in
try List.assoc "assume_network_is_shared" oc = "true"
with Not_found -> false
This check is used during VM placement decisions. When a VM is started, XAPI verifies that the target host has connectivity to all networks required by the VM's VIFs. If assume_network_is_shared=true, this verification is bypassed - the network is assumed to be available on every host.
The consequences of the bypass:
VIF attachment failure. The VM starts but VIF attachment fails because no PIF connects the host to the network. The VM runs without network connectivity on that interface.
Silent connectivity loss. If the VM starts successfully (e.g., some VIFs attach, others fail), the operator may not immediately notice the missing connectivity.
Placement policy subversion. VMs are placed on hosts without the required network infrastructure, violating the pool's network topology constraints.
Missing RBAC protection. Network.other_config has no map_keys_roles entries for infrastructure keys. The assume_network_is_shared key is writable by any pool-operator.
No validation against actual topology. XAPI does not verify whether the network is actually shared when the key is set. The key blindly overrides the topology check.
No logging or alerting. Setting the key produces no warning that network locality checks are being bypassed.
set_other_config RBAC bypass. The set_other_config method replaces the entire map atomically and bypasses map_keys_roles per-key checks.
| Scenario | Impact | Pre-conditions | Status |
|---|---|---|---|
| VM placement on wrong host | VM starts on host without network connectivity, VIF attachment fails | pool-operator, non-shared network | Source-traced |
| Silent connectivity loss | VM runs with partial network connectivity, not immediately detected | pool-operator, multi-NIC VM | Modeled |
| HA restart disruption | HA restarts VM on host without required network, connectivity lost | pool-operator, HA-protected VM | Modeled |
| BOC-1 chain | vm-admin bypasses network locality across all networks via RBAC collapse | vm-admin, BOC-1 | Source-traced |
assume_network_is_shared=true on all non-shared networks, subverting placement checks pool-wide.Network.other_config for the assume_network_is_shared keyassume_network_is_shared=true on networks that are not actually shared (no PIFs on multiple hosts)disclosure/vendor-detection-guidance.mdNetwork.other_config entries for unexpected assume_network_is_shared valuesAdd map_keys_roles protection. Restrict assume_network_is_shared to _R_POOL_ADMIN in datamodel.ml.
Add topology validation. When the key is set, verify that the network has PIFs on multiple hosts. If not, log a warning that the override is potentially unsafe.
Upstream patches exist. They are held privately pending coordinated disclosure.
Disclosure:
datamodel.ml:1998-2007 (Network.other_config field definition), xapi_network_attach_helpers.ml:130-139 (assume_network_is_shared check)disclosure/advisories/noc-security-advisory.md (NOC-6)research/investigations/network-other-config.mdDiscovered and reported by Jakob Wolffhechel, Moksha.