← Advisory Index « MOKSHA-2026-0020 MOKSHA-2026-0022 »

MOKSHA-2026-0021: Cross-VM Traffic Sniffing via VIF.other_config Promiscuous Mode

Advisory ID	MOKSHA-2026-0021
Semantic ID	VIOC-2
Published	2026-04-24
CVSS 3.1	7.5 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N`
CVSS 4.0	6.3 Medium
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N`
XAPI Object	`VIF`
XAPI Field	`other_config:promiscuous`
Entry Role	vm-admin
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can enable promiscuous mode on a VIF's bridge port by setting VIF.other_config:promiscuous to true. The VIF hotplug script writes 1 to /sys/class/net/vifX.Y/brport/promisc, causing the guest VM to receive all frames on the Linux bridge - including traffic destined for other VMs. This enables cross-VM traffic sniffing in any multi-tenant environment using Linux bridge networking. The key has no per-key RBAC protection, the attack requires a single API call, and no security alert is generated.

Vulnerability Description

VIF.other_config is a Map(String, String) field writable by vm-admin. The promiscuous key is consumed by the VIF hotplug script (vif-real) during VIF plug operations.

The code path:

vm-admin calls VIF.add_to_other_config(vif, "promiscuous", "true")
On VIF plug (VM start or hotplug), xenopsd writes the key to xenstore
The vif-real hotplug script reads the key at lines 66-82
The script writes 1 to /sys/class/net/vifX.Y/brport/promisc
The bridge port enters promiscuous mode, receiving all bridge traffic

The guest VM now receives a copy of every frame traversing the bridge, including traffic destined for other VMs on the same bridge.

Mitigating Factor

Open vSwitch does not support promiscuous mode via this sysfs path. On OVS-backed networks, the sysfs write has no effect. However, this protection is accidental (ARCH-5 pattern) - OVS was not chosen for its security properties here, and there is no enforcement preventing an administrator from using Linux bridge networking.

Root Causes

Missing RBAC protection. VIF.other_config has zero map_keys_roles entries in datamodel.ml. The promiscuous key is writable by vm-admin via add_to_other_config.
Missing consumer-side validation. The vif-real hotplug script accepts the promiscuous flag without any authorization check or security-level logging.
set_other_config RBAC bypass. The set_other_config method replaces the entire map atomically and bypasses map_keys_roles per-key checks entirely.
Insufficient logging. No security alert is generated when promiscuous mode is enabled on a VIF.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
XCP-ng 8.3 - confirmed (RBAC analysis, source trace)

Indirectly Affected

All VMs on Linux bridge networks - traffic is exposed to the sniffing VM
Multi-tenant deployments - tenant isolation is broken on Linux bridge networks
Management orchestrators (Xen Orchestra, CloudStack, OpenStack) - trust assumptions about network isolation are invalidated

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Cross-VM traffic capture	Read all frames on the bridge, including other VMs' traffic	Linux bridge networking, vm-admin credential	Source-traced, RBAC confirmed
Credential sniffing	Capture unencrypted credentials (HTTP, SMTP, FTP) from co-hosted VMs	Unencrypted protocols in use	Modeled
Reconnaissance	Map internal network topology, identify services, enumerate hosts	Linux bridge, multiple VMs	Modeled
Chained with BOC-1	After RBAC collapse via BOC-1, enable promiscuous mode on any VIF in the pool	BOC-1 available	Modeled (amplification chain)

Detection

Monitor VIF.other_config for promiscuous=true or promiscuous=on entries
Audit /sys/class/net/vif*/brport/promisc for non-zero values
Alert on hotplug script activity that sets promiscuous mode
See rule V-02 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all VIF.other_config records for promiscuous keys
Use Open vSwitch instead of Linux bridge networking (accidental mitigation)
Restrict vm-admin role grants in multi-tenant environments

Long-Term Fix

Add map_keys_roles. Protect promiscuous in datamodel.ml at _R_POOL_ADMIN to prevent vm-admin from enabling promiscuous mode.

Consumer-side validation. The vif-real hotplug script should reject promiscuous mode requests unless explicitly authorized by pool-level policy.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0029 (VIOC-1 SR-IOV VIF whitelist bypass)
XAPI source: vendor/xenopsd/scripts/vif-real:66-82 (promiscuous mode sysfs write), datamodel.ml (VIF field definition)
Thematic advisory: disclosure/advisories/vif-security-advisory.md (VIOC-2)
Investigation: research/investigations/vif-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0021.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0020 MOKSHA-2026-0022 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk