A user with the vm-admin role can promote any VM to system domain status by writing is_system_domain=true to VM.other_config. This key is intended as an internal infrastructure flag set only by XAPI itself, but VM.other_config has no map_keys_roles protection for this key. A system-domain VM bypasses VBD sharing constraints, gains access to the query_services operation, and bypasses lifecycle restrictions - capabilities reserved for XAPI infrastructure components. Combined with MOKSHA-2026-0008 (VOC-2 storage_driver_domain), the promoted VM triggers PBD detach operations on VM shutdown, enabling storage denial-of-service against arbitrary SRs.
VM.other_config is a Map(String, String) field in the XAPI data model. The is_system_domain key controls whether a VM is treated as an infrastructure system domain. XAPI reads this key in system_domains.ml:30-35:
let is_system_domain snapshot =
snapshot.API.vM_is_control_domain
||
let oc = snapshot.API.vM_other_config in
List.mem_assoc system_domain_key oc
&& bool_of_string (List.assoc system_domain_key oc)
The function checks is_control_domain (a read-only boolean) OR the other_config key. Since the other_config path has no RBAC protection, any vm-admin can set it to true on any VM.
The set_is_system_domain function at system_domains.ml:45-52 performs no validation - it directly writes to other_config and creates a system_domains entry in the database.
A VM promoted to system domain status:
Bypasses VBD sharing constraints. The VBD sharing check at xapi_vbd_helpers.ml exempts system domains, allowing concurrent write access to non-sharable VDIs. A regular VM mounting a VDI already in use by another VM is blocked; a system-domain VM is not.
Gains access to query_services. The query_services VM operation (xapi_vm_lifecycle.ml:718-720) requires is_system_domain=true. This operation is gated specifically for infrastructure VMs.
Bypasses lifecycle restrictions. System domains are exempted from certain lifecycle state machine checks, allowing operations that would be rejected on regular VMs.
Missing per-key RBAC. VM.other_config protects only three keys via map_keys_roles: pci (pool-admin), folder (vm-op), and XenCenter.CustomFields.* (vm-op). The is_system_domain key has no per-key protection and is writable by vm-admin.
Infrastructure key in user-writable map. System domain designation is stored in a user-writable map field rather than as a protected internal-only property. The intent was for this key to be set only by XAPI internal code paths, but the API does not enforce this.
set_other_config RBAC bypass. Even if map_keys_roles were added for this key, the set_other_config method bypasses all per-key checks.
| Scenario | Impact | Pre-conditions | Status |
|---|---|---|---|
| VBD sharing bypass | Concurrent write access to non-sharable VDIs owned by other VMs | Target VDI must be on an accessible SR | 6/6 PASS (live-tested) |
| query_services access | Access to infrastructure-only VM operation | None | Confirmed (source trace + live test) |
| Lifecycle restriction bypass | Operations rejected on regular VMs succeed on system domains | None | Confirmed (source trace) |
| VOC-1 + VOC-2 chain | System domain status + storage_driver_domain = PBD detach DoS on VM shutdown | Set both keys on same VM | Write confirmed; PBD detach absorbed by state race in current versions |
| VOC-1 + BOC-1 chain | System domain + root access = full infrastructure compromise | BOC-1 provides root access | Modeled (compound scenario) |
VM.other_config:is_system_domain set to true by non-pool-admin sessionsis_system_domain=true entries - in normal operation, only XAPI-created infrastructure VMs have this flagdisclosure/vendor-detection-guidance.mdVM.other_config entries across the pool for is_system_domain=true on non-infrastructure VMsvm-admin role grants to trusted personnelRBAC: Add map_keys_roles entry for is_system_domain requiring _R_LOCAL_ROOT_ONLY in datamodel_vm.ml. This key should not be writable by any API user.
Validation: The is_system_domain key should only be writable by XAPI internal code paths. Add a check in the write path to reject external API calls setting this key.
Architecture: Move system domain designation out of other_config into a protected internal-only field that cannot be set via the map API.
Upstream patches exist. They are held privately pending coordinated disclosure.
Disclosure:
system_domains.ml:30-35, 45-52, datamodel_vm.ml:2728-2737, xapi_vbd_helpers.ml, xapi_vm_lifecycle.ml:718-720disclosure/advisories/voc-security-advisory.mdresearch/investigations/vm-other-config.mdresearch/voc-1/poc/voc-1-is-system-domain.sh (available to CSIRTs on request)Discovered and reported by Jakob Wolffhechel, Moksha.