A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can overwrite the host's iSCSI initiator identity by setting Host.other_config:iscsi_iqn to an arbitrary IQN string. The XAPI event watcher thread (xapi_host_helpers.ml:584-595) syncs this value to /etc/iscsi/initiatorname.iscsi without format validation. All subsequent iSCSI operations use the spoofed initiator name. If storage targets use IQN-based access control lists - the standard access control mechanism for enterprise iSCSI deployments - the attacker gains unauthorized access to LUNs belonging to other hosts or tenants. This directly amplifies SMC-1: the attacker controls both the initiator identity (HOC-2) and the target parameters (SMC-1).
Host.other_config is a Map(String, String) field writable by pool-operator. The iscsi_iqn key is consumed by the XAPI event watcher thread, which writes the value directly to the host's iSCSI initiator name file.
The code path:
pool-operator calls Host.add_to_other_config(host, "iscsi_iqn", "iqn.2001-01.com.victim:storage1")xapi_host_helpers.ml:584-595)/etc/iscsi/initiatorname.iscsi without validationNo format validation is performed. The value is not checked against RFC 3720 IQN format. Arbitrary strings are accepted.
Missing RBAC protection. Host.other_config has zero map_keys_roles entries for iscsi_iqn. The key inherits the class default _R_POOL_OP.
Missing format validation. The IQN value is not validated against RFC 3720 format. Any string is accepted and written to the initiator name file.
Host identity file as writable config. The iSCSI initiator name file (/etc/iscsi/initiatorname.iscsi) is the host's identity in all iSCSI protocol interactions. It should not be modifiable through a user-writable map field.
Scope change to storage network. The spoofed IQN affects resources outside the hypervisor trust boundary - specifically, storage array ACLs and LUN mappings.
| Scenario | Impact | Pre-conditions | Status |
|---|---|---|---|
| Initiator identity spoofing | Host impersonates another iSCSI initiator, bypassing storage ACLs | pool-operator, iSCSI SR connected | Confirmed (iscsi_iqn write verified on live host) |
| Cross-tenant LUN access | Attacker accesses LUNs authorized for other hosts/tenants via spoofed IQN | pool-operator, multi-tenant iSCSI SAN with IQN-based ACLs | Modeled |
| SMC-1 amplification | Attacker controls both initiator identity (HOC-2) and target parameters (SMC-1) | pool-operator, iSCSI SR | Source-traced |
| Audit trail corruption | Storage array logs show spoofed initiator, masking the actual attacker | pool-operator, iSCSI SR with access logging | Modeled |
HOC-2 chains with BOC-1 and SMC-1:
Host.other_config for iscsi_iqn modifications outside planned maintenanceHost.other_config:iscsi_iqn against /etc/iscsi/initiatorname.iscsi on each host/etc/iscsi/initiatorname.iscsi for unauthorized modificationsHost.other_config:iscsi_iqn on all pool hosts/etc/iscsi/initiatorname.iscsi matches expected valuesValidate IQN format. Enforce RFC 3720 IQN format validation at write time. Reject values that do not conform to the iqn.YYYY-MM.domain:identifier pattern.
Add map_keys_roles. Protect iscsi_iqn in datamodel_host.ml at _R_POOL_ADMIN to prevent pool-operator from modifying the host's iSCSI identity.
Immutable host identity. The iSCSI initiator name should be set once during host installation and not modifiable through the API without explicit pool-admin authorization.
Upstream patches exist. They are held privately pending coordinated disclosure.
Disclosure:
datamodel_host.ml:2929-2934 (field definition), xapi_host_helpers.ml:584-595 (event watcher sync to initiator name file)disclosure/advisories/hoc-security-advisory.md (HOC-2)research/investigations/host-other-config.mdDiscovered and reported by Jakob Wolffhechel, Moksha.