MOKSHA-2026-0047: DNS Search Domain Injection via PIF.other_config domain

Summary

A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary DNS search domains into the host's resolver configuration by writing to PIF.other_config:domain. The nm.ml:655-659 function reads this key, splits it on commas, and passes the resulting domain list directly to xcp-networkd for inclusion in the host's DNS search path. No validation is performed on domain names. Injected search domains cause unqualified hostname lookups to resolve through attacker-controlled domains, enabling DNS hijack of internal service discovery.

Vulnerability Description

PIF.other_config is a Map(String, String) field writable by pool-operator with zero map_keys_roles entries. The domain key controls the DNS search domain list for the host.

The code path:

1. pool-operator calls PIF.add_to_other_config(pif, "domain", "evil.com,attacker.net")
2. On PIF plug or bring_pif_up, nm.ml:655-659 reads the domain key
3. The value is split on commas to produce a list of search domains
4. No validation is performed on domain names - any string is accepted
5. The domains are passed to xcp-networkd, which writes them to /etc/resolv.conf
6. Host DNS resolver uses the injected search domains for unqualified lookups
7. ldap resolves to ldap.evil.com; ntp resolves to ntp.evil.com

PIF.other_config has the highest merge precedence in the other_config merge chain (nm.ml:112-120). DNS search domains set at the PIF level override pool-wide and network-level settings.

Root Causes

1. Missing input validation. The nm.ml:655-659 function accepts any comma-separated string as DNS search domains. No validation against RFC 1035 domain name format is performed.

2. Missing RBAC protection. PIF.other_config has zero map_keys_roles entries. The domain key is writable by any pool-operator.

3. Scope change. DNS search domain injection on the host affects all services that perform unqualified DNS lookups - including storage (iSCSI by name), authentication (LDAP/AD), time synchronization (NTP), and management tools. The impact crosses the hypervisor trust boundary into infrastructure services.

4. No logging of DNS configuration changes. No security-level log event is generated when DNS search domains are modified.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
• XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

• Internal services using unqualified names - LDAP, NTP, SMTP, monitoring, storage discovered by hostname
• Authentication infrastructure - unqualified AD/LDAP lookups hijacked to attacker domains
• Storage connectivity - iSCSI targets referenced by hostname resolve to attacker-controlled IPs

Exploitation Scenarios

Chaining Analysis

• BOC-1 + POC-5: vm-admin uses BOC-1 S3 (RBAC collapse) to reach pool-operator, then injects DNS search domains to redirect internal service discovery.
• POC-5 + POC-2: DNS search domain injection (POC-5) combined with gateway/DNS routing hijack (POC-2) gives the attacker complete control over host name resolution and default routing.
• POC-5 + HOC-2: DNS domain injection (POC-5) combined with iSCSI IQN spoofing (HOC-2) enables complete iSCSI session hijack - the attacker controls both the DNS resolution of the target name and the initiator identity.

Detection

• Monitor PIF.other_config for changes to the domain key
• Monitor host /etc/resolv.conf for unexpected search domain entries
• Alert on DNS search domain changes outside of planned maintenance
• See rule PI-05 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit all PIF.other_config entries for unexpected domain values
• Verify host /etc/resolv.conf contains only expected search domains
• Use fully qualified domain names (FQDNs) for all infrastructure services to reduce the impact of search domain injection

Long-Term Fix

Validate DNS search domains. Enforce RFC 1035 domain name format validation on the domain key at write time.

Add map_keys_roles. Protect the domain key at _R_POOL_ADMIN in the PIF field definition.

Use FQDN for internal services. Reduce reliance on search domains for service discovery.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• XAPI source: nm.ml:655-659 (domain key read, comma split, no validation), nm.ml:112-120 (merge precedence), datamodel.ml:2784-2788 (PIF.other_config field definition)
• Thematic advisory: disclosure/advisories/poc-security-advisory.md (POC-5)
• Investigation: research/investigations/pif-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.