MOKSHA-2026-0050: LUNperVDI Mode Manipulation via SR.sm_config

Summary

A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt the VDI management mode of an SR by adding or removing the LUNperVDI key in SR.sm_config. The LUNperVDI key, defined at SR.py:37 and set by SR._addLUNperVDIkey() at SR.py:228, controls whether the SR maps one LUN per VDI or uses a shared LUN with VHD containers. Adding LUNperVDI=true to a non-LUN-per-VDI SR or removing it from a LUN-per-VDI SR causes VDI management mode mismatch, leading to VDI creation, deletion, and scanning failures. The SR.sm_config field has zero map_keys_roles entries and remains writable after SR creation.

Vulnerability Description

SR.sm_config is a Map(String, String) field writable by pool-operator. The LUNperVDI key controls a fundamental aspect of the SR's storage architecture - whether each VDI corresponds to a separate LUN or whether multiple VDIs share a single LUN in VHD format.

The code path:

1. During SR.create, the SM driver calls SR._addLUNperVDIkey() at SR.py:228
2. _addLUNperVDIkey() sets sm_config["LUNperVDI"] = "true" via XAPI for SRs that use one-LUN-per-VDI mode
3. The key persists in the database as part of SR.sm_config
4. A pool-operator modifies the key:
   • Adds LUNperVDI=true to a shared-LUN SR: SR.add_to_sm_config(sr, "LUNperVDI", "true")
   • Or removes it from a LUN-per-VDI SR: SR.remove_from_sm_config(sr, "LUNperVDI")
5. On the next SR operation, the driver reads sm_config and uses the wrong VDI management mode
6. VDI creation uses wrong assumptions about LUN mapping
7. VDI scanning returns incorrect results or fails
8. VDI deletion targets wrong storage objects

The xe CLI rejects sm_config writes with "Map field 'sm-config' is read-only", but direct XenAPI calls (SR.add_to_sm_config, SR.remove_from_sm_config) succeed. The CLI provides a false sense of immutability.

Root Causes

1. Missing field immutability. SR.sm_config is qualifier:RW despite containing keys that define the SR's storage architecture. The LUNperVDI key is set during SR.create and should be immutable afterward.

2. Missing RBAC protection. SR.sm_config has zero map_keys_roles entries. The LUNperVDI key inherits the class default _R_POOL_OP.

3. CLI/API inconsistency. The xe CLI rejects sm_config writes, but the XenAPI accepts them. This creates a false sense of immutability for operators who only use the CLI.

4. No consistency check. The driver does not verify that the LUNperVDI mode matches the actual storage layout. A mismatch between the key and the physical storage structure causes operational failures.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared SM driver codebase)
• XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

• HBA SRs - primary SR type using LUNperVDI mode
• iSCSI SRs with RawHBA mode - affected by LUNperVDI mode manipulation
• All VMs on affected SRs - VDI operations fail due to mode mismatch

Exploitation Scenarios

Chaining Analysis

• BOC-1 + SSMC-5: vm-admin uses BOC-1 S3 (RBAC collapse) to self-grant pool-operator, then modifies the LUNperVDI key to corrupt VDI management mode on HBA SRs.
• SSMC-5 + SSMC-3: LUNperVDI mode manipulation (SSMC-5) combined with LUNid corruption (SSMC-3) creates compound storage confusion - the driver uses wrong management mode AND targets wrong LUNs.

Detection

• Monitor SR.sm_config for modifications to the LUNperVDI key after SR creation
• Alert on LUNperVDI key changes on any active SR
• Compare SR.sm_config snapshots between monitoring intervals for drift
• See rule S-05 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit all SR.sm_config records for unexpected LUNperVDI values
• Verify that the LUNperVDI key matches the actual storage architecture on each SR
• Monitor for VDI operation failures correlated with sm_config changes

Long-Term Fix

Enforce sm_config immutability. Driver-set keys like LUNperVDI should be immutable after SR.create. Implement a write-once mechanism for architecture-defining keys.

Add map_keys_roles. Protect LUNperVDI at _R_LOCAL_ROOT_ONLY in datamodel.ml.

Add consistency verification. When reading LUNperVDI, verify that the storage layout matches the expected mode. Log a warning if a mismatch is detected.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• XAPI source: datamodel.ml:4949-4953 (SR.sm_config field definition), SR.py:37 (LUNPERVDI constant), SR.py:228 (_addLUNperVDIkey writes the key)
• Thematic advisory: disclosure/advisories/ssmc-security-advisory.md (SSMC-5)
• Investigation: research/investigations/sr-sm-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.