← Advisory Index « MOKSHA-2026-0016 MOKSHA-2026-0018 »

MOKSHA-2026-0017: Static Route Injection via Network.other_config

Advisory ID	MOKSHA-2026-0017
Semantic ID	NOC-3
Published	2026-04-24
CVSS 3.1	7.6 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N`
CVSS 4.0	7.0 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N`
XAPI Object	`Network`
XAPI Field	`other_config:static-routes`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator can inject arbitrary static routes into the host routing table by setting Network.other_config:static-routes to attacker-controlled subnet/gateway pairs. The value is parsed by nm.ml:469-489 and applied directly to the bridge interface with no validation on subnet, gateway reachability, or conflicts with existing routes. Injected routes can redirect storage network traffic, management traffic, or cloud subnet traffic through an attacker-controlled gateway, enabling man-in-the-middle attacks on infrastructure communications.

Vulnerability Description

Network.other_config is a Map(String, String) field writable by pool-operator. The static-routes key is consumed by the network manager daemon (xcp-networkd) to add routes to the bridge interface associated with the network.

Data Flow

pool-operator calls Network.add_to_other_config(net, "static-routes", "10.0.0.0/8/192.168.1.100")
  -> nm.ml:469-489 parses the static-routes value
  -> Route entries extracted as subnet/gateway pairs
  -> ip route add 10.0.0.0/8 via 192.168.1.100 dev <bridge>
  -> All traffic matching 10.0.0.0/8 now routes through attacker gateway

The static-routes value is a comma-separated list of entries in the format subnet/mask/gateway. Each entry is parsed and applied as a static route on the bridge interface. No validation occurs:

No check that the gateway is reachable
No check for conflicts with management or storage network routes
No check for RFC 1918 private subnet hijacking
No check for default route override attempts

Root Causes

Missing RBAC protection. Network.other_config has zero map_keys_roles entries for the static-routes key.
No route validation. Routes are applied without checking for conflicts with management, storage, or HA heartbeat networks.
No gateway reachability check. The gateway address is not validated as reachable on the bridge subnet.
Immediate effect. Routes take effect immediately on the host, redirecting traffic without confirmation or delay.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI + xcp-networkd codebase)
XCP-ng - all versions (tested on 8.3.0)

Indirectly Affected

Storage networks - if storage traffic matches an injected route, it can be redirected
Management networks - management traffic can be MITM'd via route injection
HA heartbeat - heartbeat traffic redirection can cause spurious fencing
Storage arrays - traffic meant for storage arrays can be redirected to an attacker

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Storage traffic redirection	Storage I/O routed through attacker gateway	Storage on routable subnet	Modeled (code-traced)
Management traffic MITM	API and management traffic intercepted	Management on affected bridge	Modeled
Combined with SMC-1	Route + protocol injection for complete storage control	SMC-1 available	Modeled (chain)
BOC-1 chain	vm-admin escalates to pool-operator via BOC-1 S3, then injects routes	BOC-1 available	Modeled (two-step chain)

Detection

Monitor Network.other_config for writes to static-routes
Audit host routing tables for unexpected static routes on bridge interfaces
Alert on route additions that conflict with management or storage networks
Compare expected routing table state against actual state periodically
See rule N-03 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all Network.other_config records for unexpected static-routes values
Monitor host routing tables for changes outside maintenance windows
Restrict pool-operator role to trusted administrators

Long-Term Fix

RBAC restriction. Add map_keys_roles entry for static-routes in datamodel.ml requiring _R_POOL_ADMIN.

Route validation. Validate injected routes against management, storage, and HA network ranges. Reject routes that would conflict with infrastructure-critical traffic paths.

Gateway validation. Verify that the gateway address is reachable on the bridge subnet before applying the route.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0011 (NOC-1 VIF backend hijack), MOKSHA-2026-0012 (NOC-2 OVS fail-mode DoS), MOKSHA-2026-0001 (BOC-1 privilege escalation)
XAPI source: nm.ml:469-489 (static-routes parsing and application), datamodel.ml (Network field definition)
Thematic advisory: disclosure/advisories/noc-security-advisory.md (NOC-3)
Investigation: research/investigations/network-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0017.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0016 MOKSHA-2026-0018 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk