← Advisory Index « MOKSHA-2026-0011 MOKSHA-2026-0013 »

MOKSHA-2026-0012: OVS Fail-Mode Denial of Service via Network.other_config

Advisory ID	MOKSHA-2026-0012
Semantic ID	NOC-2
Published	2026-04-24
CVSS 3.1	8.2 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H`
CVSS 4.0	8.2 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H`
XAPI Object	`Network`
XAPI Field	`other_config:vswitch-controller-fail-mode`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator can cause a complete network denial of service on any OVS bridge by setting Network.other_config:vswitch-controller-fail-mode to "secure". In secure fail mode, OVS drops ALL packets when the SDN controller is unreachable. In the common case where no SDN controller is configured - which is the default for most XAPI deployments - this immediately drops all traffic on the bridge, affecting every VM and management connection on that network. The key has no map_keys_roles protection and requires a single API call with no validation.

Vulnerability Description

Network.other_config is a Map(String, String) field writable by pool-operator. The vswitch-controller-fail-mode key controls how Open vSwitch handles the absence of an SDN controller. The value flows through XAPI via the openvswitch-config-update script to the OVS bridge configuration.

Data Flow

pool-operator calls Network.add_to_other_config(net, "vswitch-controller-fail-mode", "secure")
  -> openvswitch-config-update reads Network.other_config
  -> ovs-vsctl set-fail-mode <bridge> secure
  -> OVS enters secure fail mode
  -> No SDN controller configured (common case) -> ALL packets dropped
  -> Complete network outage for all VMs and host management on the bridge

OVS supports two fail modes:

standalone (default): OVS acts as a normal learning switch when no controller is connected
secure: OVS drops all traffic that does not match a flow rule installed by a controller

In the common deployment scenario where no SDN controller exists, setting secure causes immediate and complete traffic loss on the bridge.

Root Causes

Missing RBAC protection. Network.other_config has zero map_keys_roles entries for infrastructure keys. The vswitch-controller-fail-mode key is writable by pool-operator.
Missing pre-condition validation. No check verifies that an SDN controller is actually configured before allowing secure fail mode. Setting secure without a controller is always destructive.
Immediate effect. The configuration change takes effect immediately on the OVS bridge - no confirmation, no grace period, no rollback mechanism.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions using OVS networking
XCP-ng - all versions using OVS networking (default network backend)
Any XAPI-based hypervisor with OVS bridge configuration

Indirectly Affected

All VMs on the targeted bridge - complete network connectivity loss
Host management - if management traffic traverses the affected bridge, host becomes unreachable
Storage networks - if storage traffic traverses the affected bridge, all I/O stops

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Per-network DoS	All traffic dropped on targeted bridge	OVS bridge, no SDN controller	Modeled (code-traced, OVS behavior confirmed)
Management network DoS	Host becomes unreachable	Management traffic on OVS bridge	Modeled
Storage network DoS	All VM I/O stops	Storage traffic on OVS bridge	Modeled
BOC-1 chain	vm-admin escalates to pool-operator via BOC-1 S3, then triggers OVS DoS	BOC-1 available	Modeled (two-step chain)

Detection

Monitor Network.other_config for writes to vswitch-controller-fail-mode
Alert on vswitch-controller-fail-mode=secure when no SDN controller is configured for the pool
Monitor OVS bridge fail mode via ovs-vsctl get-fail-mode <bridge> on all hosts
See rule N-02 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all Network.other_config records for unexpected vswitch-controller-fail-mode values
Monitor OVS bridge configurations for fail-mode changes
Restrict pool-operator role to trusted administrators

Long-Term Fix

RBAC restriction. Add map_keys_roles entry for vswitch-controller-fail-mode in datamodel.ml requiring _R_POOL_ADMIN.

Pre-condition validation. Before accepting secure fail mode, validate that an SDN controller is configured and reachable. Reject secure when no controller exists.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0011 (NOC-1 VIF backend hijack), MOKSHA-2026-0013 (PLOC-6 pool-wide OVS DoS), MOKSHA-2026-0001 (BOC-1 privilege escalation)
XAPI source: openvswitch-config-update (fail mode application), datamodel.ml (Network field definition)
Thematic advisory: disclosure/advisories/noc-security-advisory.md (NOC-2)
Investigation: research/investigations/network-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0012.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0011 MOKSHA-2026-0013 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk