← Advisory Index « MOKSHA-2026-0049 MOKSHA-2026-0051 »

MOKSHA-2026-0050: LUNperVDI Key Injection via SR.sm_config (dead code)

Advisory ID	MOKSHA-2026-0050
GCVE ID	GCVE-117-2026-0050
Semantic ID	SSMC-5
Published	2026-04-24
CVSS 3.1	2.7 Low
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N`
CVSS 4.0	5.1 Medium
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
XAPI Object	`SR`
XAPI Field	`sm_config:LUNperVDI`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject the LUNperVDI key into SR.sm_config. The key is defined at SR.py:37 and SR._addLUNperVDIkey() exists at SR.py:226, but source analysis confirms _addLUNperVDIkey() is never called by any SM driver and no driver reads sm_config["LUNperVDI"] to decide behavior. The key is an SR-type marker, not a behavioral toggle. Impact is limited to key persistence in the XAPI database without backend consumption. The SR.sm_config field has zero map_keys_roles entries and remains writable after SR creation.

Vulnerability Description

SR.sm_config is a Map(String, String) field writable by pool-operator. The LUNperVDI key was intended to mark whether an SR uses one-LUN-per-VDI mode.

The code path:

SR._addLUNperVDIkey() is defined at SR.py:226 to set sm_config["LUNperVDI"] = "true"
However, _addLUNperVDIkey() is never called by any SM driver in the codebase
No SM driver reads sm_config["LUNperVDI"] to decide behavior
LUNperVDI.py is a separate driver module (used by RawISCSISR and HBASR) - it is the raw-LUN driver itself, not something controlled by the sm_config key
A pool-operator can inject the key: SR.add_to_sm_config(sr, "LUNperVDI", "true")
The key persists in the XAPI database but has no backend effect

The xe CLI rejects sm_config writes with "Map field 'sm-config' is read-only", but direct XenAPI calls (SR.add_to_sm_config, SR.remove_from_sm_config) succeed. The CLI provides a false sense of immutability.

Root Causes

Missing field immutability. SR.sm_config is qualifier:RW despite containing keys that define the SR's storage architecture. The LUNperVDI key is set during SR.create and should be immutable afterward.
Missing RBAC protection. SR.sm_config has zero map_keys_roles entries. The LUNperVDI key inherits the class default _R_POOL_OP.
CLI/API inconsistency. The xe CLI rejects sm_config writes, but the XenAPI accepts them. This creates a false sense of immutability for operators who only use the CLI.
Dead code marker. _addLUNperVDIkey() is defined but never called. The key exists as a vestigial marker with no runtime consumer.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared SM driver codebase)
XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

No backend impact demonstrated. The LUNperVDI key is dead code (never read by any SM driver)

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Key injection	LUNperVDI=true persists in sm_config	pool-operator	Source-traced (W)
No backend effect	`_addLUNperVDIkey()` is dead code; no driver reads the key	n/a	Confirmed via source trace

Chaining Analysis

BOC-1 + SSMC-5: vm-admin uses BOC-1 S3 (RBAC collapse) to self-grant pool-operator, then injects the LUNperVDI key. The key persists but has no backend effect (dead code).
The standalone RBAC violation (writable sm_config without map_keys_roles) remains valid regardless of backend impact.

Detection

Monitor SR.sm_config for modifications to the LUNperVDI key after SR creation
Alert on LUNperVDI key changes on any active SR
Compare SR.sm_config snapshots between monitoring intervals for drift
See rule S-05 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all SR.sm_config records for unexpected LUNperVDI values (indicator of unauthorized metadata writes)
Monitor for SR.add_to_sm_config calls from non-SM sessions

Long-Term Fix

Add map_keys_roles. Protect LUNperVDI at _R_LOCAL_ROOT_ONLY in datamodel.ml. While the key has no backend consumer, the RBAC violation (pool-operator writing driver metadata) remains valid.

Remove dead code. _addLUNperVDIkey() at SR.py:226 is never called and can be safely removed.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23 (closed same day)
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
GCVE/CIRCL: notified 2026-04-18; Moksha approved as GNA #117 on 2026-04-28
DIVD: notified 2026-04-18; responded 2026-04-28
ENISA: notified 2026-04-18 (no response as of 2026-04-29)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer (no response as of 2026-05-11)
Vendor patch (partial): XSA-489 (2026-05-06, 5 of 89 findings)
Downstream advisory: VATES-SA-2026-011

References

XAPI source: datamodel.ml:4949-4953 (SR.sm_config field definition), SR.py:37 (LUNPERVDI constant), SR.py:228 (_addLUNperVDIkey writes the key)
Thematic advisory: disclosure/advisories/ssmc-security-advisory.md (SSMC-5)
Investigation: research/investigations/sr-sm-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0050.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0049 MOKSHA-2026-0051 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk