← Advisory Index « MOKSHA-2026-0023 MOKSHA-2026-0025 »

MOKSHA-2026-0024: NFS Mount Option Injection via PBD.device_config

Advisory ID	MOKSHA-2026-0024
Semantic ID	PDC-3
Published	2026-04-24
CVSS 3.1	7.2 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N`
CVSS 4.0	7.3 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:N`
XAPI Object	`PBD`
XAPI Field	`device_config:options`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator can inject arbitrary NFS mount options via PBD.device_config:options when creating or reconfiguring an NFS storage repository. The NFSSR driver appends these options directly to the mount.nfs command without sanitization. An attacker can inject sec=none (disable NFS authentication), noac (disable attribute caching - performance denial of service), or ro (force read-only) to weaken storage security or degrade performance. The attack was confirmed via live testing with all checks passing.

Vulnerability Description

PBD.device_config is the storage connection string for all SM drivers in XAPI-based hypervisors. The options key is consumed by the NFSSR driver during mount operations.

The data flow:

pool-operator calls SR.create() with device_config = {server: "nfs-server", serverpath: "/export", options: "noac"}
XAPI stores the PBD record with the unchecked options value
On PBD.plug(), NFSSR reads device_config["options"]
nfs.soft_mount() appends the options directly to the mount.nfs command: mount.nfs server:/export /mountpoint -o soft,noac
The attacker-controlled mount options take effect

No validation occurs on the options value. Any string accepted by mount.nfs is applied.

Dangerous Options

Option	Impact
`sec=none`	Disables NFS security mechanism - unauthenticated access
`noac`	Disables attribute caching - severe performance degradation, forces every metadata operation to round-trip to the server
`ro`	Forces read-only mount - VMs cannot write to storage
`noacl`	Disables POSIX ACL support
`nosuid` / `noexec`	Alters execution policy on mounted filesystem

Root Causes

Missing value validation. The options key accepts arbitrary strings and forwards them directly to mount.nfs.
No mount option allowlist. The NFSSR driver does not maintain an allowlist of acceptable NFS mount options.
Architectural trust assumption. The SM driver assumes device_config contains legitimate configuration from a trusted administrator. No mechanism distinguishes malicious options from legitimate ones.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared SM driver codebase)
XCP-ng 8.3 - confirmed (live-tested: all checks PASS)

Indirectly Affected

NFS servers connected to affected pools - security downgraded by injected options
All VMs using NFS storage - performance degraded or access restricted by injected options

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
NFS security downgrade	`sec=none` disables NFS authentication	pool-operator, NFS SR	Confirmed (live-tested)
Performance DoS	`noac` disables attribute caching, causing severe I/O performance degradation	pool-operator, NFS SR	Confirmed (live-tested)
Read-only lockout	`ro` prevents all writes to storage	pool-operator, NFS SR	Confirmed (live-tested)
Via BOC-1 chain	vm-admin escalates to pool-operator via BOC-1, then injects mount options	BOC-1 available	Modeled (chained)

Detection

Audit PBD.device_config for NFS SRs containing the options key
Alert on mount options outside a known-safe set (e.g., soft, tcp, timeo, retrans)
Monitor NFS mount parameters on dom0 via /proc/mounts
See rule D-03 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all NFS SR device_config for unexpected options values
Monitor /proc/mounts on each host for unexpected NFS mount options
Restrict pool-operator role grants

Long-Term Fix

Mount option allowlist. NFSSR should only accept known-safe NFS mount options. Reject sec=none, noac, and other dangerous options.

Write-time validation. Validate the options field against an allowlist at SR.create time, before the value is stored in the PBD.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0001 (BOC-1 RBAC collapse enables vm-admin to reach this vector)
XAPI source: NFSSR driver nfs.soft_mount() (mount option passthrough), SRCommand.parse() (device_config read)
Thematic advisory: disclosure/advisories/pdc-security-advisory.md (PDC-3)
Investigation: research/investigations/pbd-device-config.md
PoC evidence: research/pdc-3/poc/evidence/pdc-3-nfs-mount-options-20260321-222703.log

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0024.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0023 MOKSHA-2026-0025 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk