MOKSHA-2026-0010: Block Device Path Injection via PBD.device_config

Summary

A pool-operator can inject an arbitrary block device path via PBD.device_config:device when creating an EXT or LVM SR. The SM driver reads the path unchecked and passes it to pvcreate and vgcreate, which execute destructive operations on the attacker-chosen device. LVHDSR has a systemroot check that blocks the immediate host root device, but this check does not protect other partitions, additional disks, remote block devices, or other VMs' local storage. The result is data destruction on arbitrary block devices accessible to the host.

Vulnerability Description

When creating an EXT or LVM SR, the SM driver reads device_config:device to determine which block device to initialize as a storage repository. The value flows from the XAPI database to LVM subprocess calls without adequate validation.

Data Flow

SR.create(device_config={device: "/dev/sdb"})
  -> PBD stored with unchecked device path
  -> PBD.plug() triggers LVHDSR.create()
  -> LVHDSR.create() reads self.dconf['device'] (line 457)
  -> lvutil.createVG() called with attacker device path (line 508)
  -> pvcreate /dev/sdb
  -> vgcreate <sr-uuid> /dev/sdb
  -> Block device is now an LVM physical volume (original data destroyed)

Systemroot Check Limitations

LVHDSR implements a systemroot check at lines 467-470 that compares the requested device against the host's root device. This prevents targeting /dev/sda (or whatever device hosts the root filesystem). However, the check has several gaps:

1. Other partitions on the root disk - /dev/sda2, /dev/sda3 are not protected
2. Additional disks - /dev/sdb, /dev/sdc, etc. are not protected
3. Remote block devices - iSCSI LUNs, multipath devices are not protected
4. Device mapper paths - /dev/mapper/* paths bypass the check
5. Symlinks - alternate paths to the same device bypass the string comparison

Destructive Operation

pvcreate overwrites the first sectors of the target device with LVM metadata. This is a destructive operation that renders the previous contents of the device unrecoverable without backup. vgcreate then creates a volume group on the device, completing the initialization. Both operations execute as root.

Root Causes

1. Inadequate device validation. The systemroot check protects only the immediate root device. It does not implement a comprehensive device allowlist.

2. No device ownership verification. The SM driver does not verify that the requested device is unpartitioned, unused, or intended for SR creation.

3. Destructive operation on unvalidated input. pvcreate is a destructive operation that should only execute on devices explicitly approved for storage initialization.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared XAPI + SM driver codebase)
• XCP-ng 8.3 - confirmed (live-tested)

Storage Backends Affected

• LVHDSR (lvm, ext SR types) - primary target
• EXT SR - uses similar device initialization path

Indirectly Affected

• Other VMs' local storage - if VMs use local block devices, an attacker can target those devices
• Host data partitions - non-root partitions on the host disk are unprotected
• SAN LUNs - remotely presented block devices can be targeted

Exploitation Scenarios

Detection

• Monitor SR.create calls for device_config:device values targeting unexpected block devices
• Maintain an inventory of authorized block devices for SR creation
• Alert on pvcreate or vgcreate invocations targeting devices outside the authorized list
• Monitor for unexpected LVM physical volume creation on hosts

Remediation

Short-Term Mitigations

• Restrict pool-operator role grants to trusted storage administrators
• Audit all SR creation operations for unusual device paths
• Implement host-level device protection (e.g., udev rules preventing LVM operations on protected devices)

Long-Term Fix

Block device allowlist. Expand the systemroot check in LVHDSR to reject all devices not on an explicit allowlist. Default policy: only unused, unpartitioned block devices that are not mounted and not part of any existing volume group.

Device ownership verification. Before executing pvcreate, verify that the target device is truly available for SR creation: not mounted, not in an existing VG, not a partition on a system disk.

Confirmation step. Require an explicit confirmation for destructive device initialization, independent of the API call that creates the SR.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• Related MOKSHA IDs: MOKSHA-2026-0004 (PDC-1 iSCSI redirection), MOKSHA-2026-0005 (PDC-2 NFS redirection), MOKSHA-2026-0001 (BOC-1 privilege escalation)
• XAPI source: LVHDSR.py:457 (device_config read), LVHDSR.py:467-470 (systemroot check), lvutil.py:createVG() (pvcreate/vgcreate execution)
• Thematic advisory: disclosure/advisories/pdc-security-advisory.md (PDC-5)
• Investigation: research/investigations/pbd-device-config.md
• PoC scripts: research/pdc-5/poc/pdc-5-block-device-injection.py (available to CSIRTs on request)
• Evidence: pdc-5-block-device-injection-20260321-234547.log

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.