MOKSHA-2026-0049: HIMN Identity Hijack + DHCP Manipulation via Network.other_config

Summary

A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can hijack the Host Internal Management Network (HIMN) identity or manipulate guest VM DHCP configuration by modifying is_host_internal_management_network, ip_begin, ip_end, and netmask keys in Network.other_config. The helpers.ml:833-846 function identifies the HIMN by searching for the is_host_internal_management_network=true key, and xapi_udhcpd.ml:271-283 uses ip_begin and ip_end to configure the DHCP range for guest VMs. Marking a second network as HIMN creates ambiguity; modifying the DHCP range enables IP exhaustion attacks or assignment of IPs outside the expected link-local range.

Vulnerability Description

Network.other_config is a Map(String, String) field writable by pool-operator. The HIMN is identified by the presence of specific keys in this field rather than through a dedicated, protected API field.

The HIMN identity mechanism:

1. helpers.ml:833-846 defines get_special_network which calls List.find on all networks
2. It checks is_host_internal_management_network=true in Network.other_config
3. List.find returns the first match - if multiple networks have this key, the match is non-deterministic
4. A pool-operator marks a second network as HIMN: Network.add_to_other_config(network, "is_host_internal_management_network", "true")
5. XAPI's HIMN identification becomes ambiguous

The DHCP configuration path:

1. xapi_network.ml:54 reads ip_begin from Network.other_config
2. xapi_udhcpd.ml:271-283 reads ip_begin and ip_end to configure the DHCP range
3. xapi_network.ml:55 reads netmask for bridge IP configuration
4. A pool-operator modifies these keys: Network.add_to_other_config(himn, "ip_begin", "10.0.0.1")
5. The DHCP server assigns IPs from the attacker-controlled range
6. Guest VMs receive IPs outside the expected 169.254.x.x link-local range

The HIMN keys confirmed on a live host:

is_guest_installer_network: true
is_host_internal_management_network: true
ip_begin: 169.254.0.1
ip_end: 169.254.255.254
netmask: 255.255.0.0

Root Causes

1. Identity via mutable metadata. The HIMN is identified by a key in Network.other_config rather than through a first-class, immutable field. Any pool-operator can create or remove HIMN identity on any network.

2. Missing RBAC protection. Network.other_config only protects UI keys (folder, XenCenter.CustomFields.*, XenCenterCreateInProgress). All HIMN infrastructure keys are writable by pool-operator.

3. Ambiguous identity resolution. List.find returns the first match when multiple networks claim HIMN identity. The behavior is non-deterministic and depends on database ordering.

4. Unvalidated DHCP configuration. The ip_begin, ip_end, and netmask values are consumed with basic format validation (inet_addr_of_string) but no semantic validation. IPs outside the link-local range, overlapping ranges, or extreme ranges are accepted.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
• XCP-ng - all versions (confirmed on 8.3.0, HIMN keys verified on live host)

Indirectly Affected

• Guest VMs using HIMN - receive DHCP addresses from manipulated range
• Guest agent communication - HIMN identity confusion disrupts host-guest communication
• Management tools - tools that rely on HIMN for guest communication (Xen Orchestra, XenCenter) may connect to wrong network

Exploitation Scenarios

Chaining Analysis

• BOC-1 + NOC-4: vm-admin uses BOC-1 S3 (RBAC collapse) to reach pool-operator, then manipulates HIMN identity or DHCP range to disrupt guest VM networking.
• NOC-4 + NOC-1: HIMN manipulation (NOC-4) combined with VIF backend VM hijack (NOC-1) enables the attacker to redirect guest management traffic through an attacker VM while manipulating DHCP.

Detection

• Monitor Network.other_config for changes to is_host_internal_management_network, ip_begin, ip_end, and netmask keys
• Alert if more than one network has is_host_internal_management_network=true
• Verify HIMN DHCP range stays within expected link-local range (169.254.0.0/16)
• See rule N-04 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit all Network.other_config records for HIMN keys on non-HIMN networks
• Verify that exactly one network has is_host_internal_management_network=true
• Verify HIMN ip_begin/ip_end match expected link-local values

Long-Term Fix

Promote HIMN identity to a first-class field. Make HIMN identity an immutable, XAPI-managed property rather than a user-writable other_config key.

Protect HIMN keys via map_keys_roles. Add is_host_internal_management_network, is_guest_installer_network, ip_begin, ip_end, and netmask at _R_LOCAL_ROOT_ONLY in the Network field definition.

Validate DHCP range. Enforce that ip_begin and ip_end fall within the expected link-local subnet.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• XAPI source: helpers.ml:833-846 (HIMN identification via List.find), xapi_udhcpd.ml:271-283 (DHCP range from ip_begin/ip_end), xapi_network.ml:51-66 (bridge IP from ip_begin/netmask), datamodel.ml:1998-2007 (field definition)
• Thematic advisory: disclosure/advisories/noc-security-advisory.md (NOC-4)
• Investigation: research/investigations/network-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.