A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can mark any VDI as a cloud-init config drive by setting config-drive=true in VDI.other_config. The config-drive key is defined in xapi_globs.ml:289 as a sync key and consumed by import.ml:1180 during migration and restore operations. When a non-config VDI is falsely flagged, guest cloud-init agents misinterpret its contents as trusted hypervisor-provided metadata, potentially initializing the guest with attacker-controlled configuration. The VDI.other_config field has no per-key RBAC protection for the config-drive key.
VDI.other_config is a Map(String, String) field writable by vm-admin. The config-drive key controls whether a VDI is treated as a cloud-init metadata source during migration and import operations.
The code path:
vm-admin sets config-drive=true on a non-config VDI: VDI.add_to_other_config(vdi, "config-drive", "true")xapi_globs.ml:289 as part of vdi_other_config_sync_keysimport.ml:1180 synchronizes the config-drive flag to the destinationNo validation occurs on the config-drive value. The flag is a simple presence check - any non-empty value is treated as true.
Missing RBAC protection. VDI.other_config has map_keys_roles entries only for folder and XenCenter.CustomFields.*. The config-drive key is writable by vm-admin without restriction.
No VDI content validation. The config-drive flag is a simple metadata tag. No check verifies that the VDI actually contains valid cloud-init metadata in the expected format (ISO 9660, VFAT, or similar).
Trusted metadata channel abuse. Guest cloud-init agents treat hypervisor-provided config drives as fully trusted. The hypervisor provides no mechanism for the guest to verify the provenance of the config drive flag.
set_other_config RBAC bypass. The set_other_config method replaces the entire map atomically and bypasses map_keys_roles per-key checks entirely.
| Scenario | Impact | Pre-conditions | Status |
|---|---|---|---|
| Config drive injection | Mark a data VDI as config-drive; guest cloud-init reads attacker data as configuration | vm-admin, cloud-init guest | Live-tested (flag accepted) |
| Migration propagation | False config-drive flag propagates to destination pool during migration | vm-admin, cross-pool migration | Source-traced |
| Guest misconfiguration | Guest initializes with wrong network config, repos, or SSH keys from fake config drive | vm-admin, cloud-init guest | Modeled |
| BOC-1 chain | vm-admin uses BOC-1 S3 to bulk-modify config-drive flags across all VDIs | vm-admin, BOC-1 | Source-traced |
config-drive=true on data VDIs across the pool, causing widespread guest misconfiguration on next migration or restore.VDI.other_config for unexpected config-drive=true entries on non-config VDIsdisclosure/vendor-detection-guidance.mdVDI.other_config records for unexpected config-drive flagsvm-admin delegated access to trusted administrators onlyAdd map_keys_roles protection. Restrict config-drive to _R_POOL_ADMIN in the VDI field definition in datamodel.ml.
Validate config drive content. When config-drive=true is set, verify that the VDI contains valid cloud-init metadata format before accepting the flag.
Upstream patches exist. They are held privately pending coordinated disclosure.
Disclosure:
xapi_globs.ml:289 (vdi_other_config_sync_keys definition), import.ml:1180 (config-drive sync during import), datamodel.ml:6310-6315 (VDI.other_config field definition)disclosure/advisories/doc-security-advisory.md (DOC-7)research/investigations/vdi-other-config.mdDiscovered and reported by Jakob Wolffhechel, Moksha.