← Advisory Index « MOKSHA-2026-0026 MOKSHA-2026-0028 »

MOKSHA-2026-0027: Gateway/DNS Routing Hijack via PIF.other_config defaultroute/peerdns

Advisory ID	MOKSHA-2026-0027
Semantic ID	POC-2
Published	2026-04-24
CVSS 3.1	7.2 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N`
CVSS 4.0	7.0 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N`
XAPI Object	`PIF`
XAPI Field	`other_config:defaultroute, other_config:peerdns`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator can hijack host-level network routing and DNS resolution by setting defaultroute=true and peerdns=true on an attacker-chosen PIF via PIF.other_config. The defaultroute key causes all host outbound traffic to route through the selected PIF's gateway (helpers.ml:219-234). The peerdns key redirects DNS queries to the selected PIF's DNS server. This enables man-in-the-middle attacks on management and storage traffic, and DNS poisoning at the host level affecting all VMs and host services. PIF.other_config has the highest merge precedence in the other_config merge chain, overriding both Network.other_config and Pool.other_config values.

Vulnerability Description

PIF.other_config is a Map(String, String) field writable by pool-operator that directly controls physical network interface behavior. The field has zero per-key RBAC and has the highest merge precedence in the nm.ml:112-120 merge chain.

The code path:

pool-operator calls PIF.add_to_other_config(pif, "defaultroute", "true")
helpers.ml:219-234 selects the first PIF with defaultroute=true as the gateway interface
helpers.ml:254-267 selects the first PIF with peerdns=true as the DNS interface
On next PIF plug, the host routing table and DNS configuration are updated
All host outbound traffic routes through the attacker-chosen gateway
All DNS queries resolve through the attacker-chosen DNS server

Impact Chain

With defaultroute control, the attacker can:

Intercept management traffic (XAPI API calls between pool members)
Intercept storage traffic (NFS, iSCSI) if routing affects storage network paths
Perform man-in-the-middle attacks on any host-initiated connection
Combined with peerdns, poison DNS resolution to redirect connections to attacker infrastructure

Root Causes

Missing RBAC protection. PIF.other_config has zero map_keys_roles entries. The defaultroute and peerdns keys are writable by pool-operator.
Missing validation. No check verifies that the PIF selected as default gateway is the intended management interface.
Highest merge precedence. PIF.other_config overrides Network.other_config and Pool.other_config in the merge chain, making PIF-level injection authoritative.
Insufficient logging. No security alert is generated when the default route or DNS interface is changed.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI + xcp-networkd codebase)
XCP-ng 8.3 - confirmed (RBAC analysis, source trace)

Indirectly Affected

All VMs on the host - outbound traffic and DNS resolution affected
Pool management - inter-host XAPI communication can be intercepted
Storage traffic - if routing affects storage network paths, iSCSI/NFS traffic is exposed

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Management traffic MITM	Intercept XAPI API calls between pool members	pool-operator, multiple PIFs	Source-traced
DNS poisoning	Redirect host DNS resolution to attacker-controlled server	pool-operator, peerdns=true	Source-traced
Storage traffic redirection	Route storage I/O through attacker-controlled gateway	pool-operator, routing affects storage network	Modeled
Via BOC-1 chain	vm-admin escalates to pool-operator, then hijacks routing	BOC-1 available	Modeled (chained)

Detection

Monitor PIF.other_config for defaultroute and peerdns changes
Alert on default route changes on management PIFs
Audit host routing table for unexpected default routes
Monitor /etc/resolv.conf for unexpected DNS server changes
See rule P-02 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all PIF.other_config for defaultroute and peerdns keys
Verify host routing tables match expected configuration
Restrict pool-operator role grants

Long-Term Fix

Restrict to pool-admin. Protect defaultroute and peerdns via map_keys_roles at _R_POOL_ADMIN.

Validation gate. Verify that only the designated management PIF can be set as the default route.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0001 (BOC-1 RBAC collapse enables vm-admin to reach this vector)
XAPI source: helpers.ml:219-234 (defaultroute selection), helpers.ml:254-267 (peerdns selection), nm.ml:112-120 (merge precedence)
Thematic advisory: disclosure/advisories/poc-security-advisory.md (POC-2)
Investigation: research/investigations/pif-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0027.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0026 MOKSHA-2026-0028 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk