MOKSHA-2026-0046: MTU Manipulation / Network Partition via PIF.other_config

Summary

A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause network partition by setting the mtu key in PIF.other_config to an extreme value. The nm.ml:36-43 function parses the value with int_of_string and applies it as the interface MTU with no range validation. Setting MTU too low on the management interface causes packet drops that partition the host from the pool. Setting MTU too high causes fragmentation and dropped jumbo frames. On pools with HA enabled, management network partitioning triggers HA fencing.

Vulnerability Description

PIF.other_config is a Map(String, String) field writable by pool-operator with zero map_keys_roles entries. The mtu key overrides the Network-level MTU setting with highest precedence in the other_config merge chain.

The code path:

1. pool-operator calls PIF.add_to_other_config(pif, "mtu", "68") (minimum MTU, or any extreme value)
2. On PIF plug or bring_pif_up, nm.determine_mtu at nm.ml:36-43 reads the mtu key
3. The value is parsed with int_of_string - no range validation is performed
4. On parse failure, it defaults to the Network MTU; on success, the raw integer is used
5. The MTU is applied to the physical interface via xcp-networkd
6. If the management interface MTU is too low, management traffic is silently dropped
7. The host becomes unreachable from the pool - XAPI heartbeat fails

PIF.other_config has the highest merge precedence in nm.ml:112-120: it overrides both Network.other_config and Pool.other_config. A PIF-level MTU override cannot be counteracted at the pool or network level.

Root Causes

1. Missing input validation. The nm.determine_mtu function at nm.ml:36-43 accepts any integer value. No range check enforces the valid MTU range (68-9216 for most interfaces).

2. Missing RBAC protection. PIF.other_config has zero map_keys_roles entries. The mtu key is writable by any pool-operator.

3. Highest merge precedence. PIF.other_config overrides pool-wide and network-level MTU settings. A per-PIF MTU injection cannot be overridden by administrators at a higher scope.

4. No operational safeguard. No check verifies whether the new MTU value is compatible with the current network topology or whether the interface carries management traffic.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
• XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

• All VMs on the affected host - lose network connectivity if the management interface is partitioned
• HA subsystem - management network partition triggers HA fencing, causing host reboot and VM failover
• Storage networks - MTU mismatch on storage-carrying PIFs causes storage I/O failures

Exploitation Scenarios

Chaining Analysis

• BOC-1 + POC-3: vm-admin uses BOC-1 S3 (RBAC collapse) to reach pool-operator, then sets extreme MTU on the management PIF, partitioning the host.
• POC-3 + PLOC-2: MTU manipulation (POC-3) on storage-carrying PIFs combined with HA timeout manipulation (PLOC-2) creates controlled host isolation and fencing.
• POC-3 + SMC-1: MTU disruption on storage networks amplifies SMC-1 attacks by causing retransmissions, timeouts, and protocol-level errors.

Detection

• Monitor PIF.other_config for mtu key changes, especially on management PIFs
• Alert on MTU values outside the range 1280-9216
• Monitor for HA fencing events correlated with PIF configuration changes
• See rule PI-03 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit all PIF.other_config records for unexpected mtu values
• Verify management interface MTU is correct on all hosts
• Restrict pool-operator role grants to trusted administrators

Long-Term Fix

Validate MTU range at write time. Reject mtu values outside the range 68-9216 in PIF.add_to_other_config or add write-time validation in nm.determine_mtu.

Add map_keys_roles. Protect the mtu key at _R_POOL_ADMIN in the PIF field definition.

Add operational guard. Warn or reject MTU changes on management-carrying PIFs that could partition the host.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• XAPI source: nm.ml:36-43 (determine_mtu, no range validation), nm.ml:112-120 (merge precedence), datamodel.ml:2784-2788 (PIF.other_config field definition)
• Thematic advisory: disclosure/advisories/poc-security-advisory.md (POC-3)
• Investigation: research/investigations/pif-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.