← Advisory Index « MOKSHA-2026-0024 MOKSHA-2026-0026 »

MOKSHA-2026-0025: Storage Protocol Metadata Poisoning via SR.sm_config (targetIQN/target/LUNid)

Advisory ID	MOKSHA-2026-0025
Semantic ID	SSMC-3
Published	2026-04-24
CVSS 3.1	7.2 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H`
CVSS 4.0	8.4 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N`
XAPI Object	`SR`
XAPI Field	`sm_config:targetIQN, sm_config:target, sm_config:LUNid`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator can corrupt storage protocol metadata by modifying targetIQN, target, datatype, or LUNid keys in SR.sm_config on iSCSI and HBA storage repositories. These keys are written by the SM driver during SR.create and read back during subsequent operations - but the field remains writable after creation. Modifying LUNid causes VDI operations to target the wrong LUN, enabling cross-SR data corruption. Modifying targetIQN or target causes SR misidentification and connection failures. This is an SR-level variant of the SMC-1 storage protocol injection - same architectural root cause, but at the SR level affecting all VDIs in the repository.

Vulnerability Description

SR.sm_config is a Map(String, String) field described as "SM dependent data" that serves as the primary configuration channel between XAPI and the SMAPIv1 storage driver framework. The field requires pool-operator to write and has zero map_keys_roles entries.

The data flow:

SM driver writes targetIQN, target, datatype, LUNid during SR.create (e.g., BaseISCSI.py:507-513)
Values are stored in the XAPI database
On subsequent SR.load() / SR.attach(), the driver reads these keys back
A pool-operator can modify the keys at any time via SR.set_sm_config or SR.add_to_sm_config
The driver uses the modified values in storage protocol operations

Key-Specific Impacts

Key	Impact
`targetIQN`	SR targets wrong iSCSI initiator group - connection to wrong storage target
`target`	Changes iSCSI target address - could redirect to attacker-controlled target
`LUNid`	VDI operations target wrong LUN - cross-SR data corruption
`datatype`	SR type misidentification during scans

Root Causes

Missing immutability enforcement. SR.sm_config keys set by the SM driver during SR.create remain writable via the API after creation. No immutability mechanism exists.
Missing RBAC protection. SR.sm_config has zero map_keys_roles entries. All driver-written keys are writable by pool-operator.
Backend trust assumption. SM drivers assume sm_config values are authoritative and have not been tampered with since creation.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared SM driver codebase)
XCP-ng 8.3 - confirmed (source trace)

Storage Drivers Affected

Driver	Keys	Impact
BaseISCSI (lvmoiscsi)	`targetIQN`, `target`, `LUNid`	Target/LUN poisoning, cross-SR corruption
HBASR	`targetIQN`, `datatype`, `LUNid`	HBA type corruption, LUN mismatch

Indirectly Affected

iSCSI storage arrays - receive connections with wrong IQN or LUN mapping
All VMs on affected SRs - data corruption or inaccessibility

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
LUNid redirection	VDI operations target wrong LUN - cross-SR data corruption	pool-operator, iSCSI SR	Source-traced
Target IQN manipulation	SR connects to wrong iSCSI target group	pool-operator, iSCSI SR	Source-traced
Target address change	SR redirected to different iSCSI target server	pool-operator, iSCSI SR	Source-traced
Via BOC-1 chain	vm-admin escalates to pool-operator via BOC-1 S3, then corrupts SR metadata	BOC-1 available	Modeled (chained)

Detection

Monitor SR.sm_config for modifications after SR creation
Alert on targetIQN, target, LUNid, datatype key changes
Compare SR.sm_config snapshots between scans for drift
See rule S-03 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all iSCSI/HBA SR sm_config for unexpected values in targetIQN, target, LUNid
Compare current sm_config values against known-good baselines
Restrict pool-operator role grants

Long-Term Fix

Enforce sm_config immutability. Once set by the SM driver during SR.create, driver-written keys should not be modifiable via API. Implement a mechanism to distinguish driver-set keys from user-set keys.

Add map_keys_roles. Protect targetIQN, target, LUNid, datatype at _R_LOCAL_ROOT_ONLY.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0001 (BOC-1 RBAC collapse enables vm-admin to reach this vector)
XAPI source: vendor/sm/drivers/BaseISCSI.py:507-513 (driver writes keys during create), SR.py (sm_config read path)
Thematic advisory: disclosure/advisories/ssmc-security-advisory.md (SSMC-3)
Investigation: research/investigations/sr-sm-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0025.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0024 MOKSHA-2026-0026 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk