← Advisory Index « MOKSHA-2026-0051 MOKSHA-2026-0053 »

MOKSHA-2026-0052: Leaked VBD Detection Spoofing via task_id/related_to

Advisory ID	MOKSHA-2026-0052
Semantic ID	BOC-5
Published	2026-04-24
CVSS 3.1	5.3 Medium
CVSS 3.1 Vector	`AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N`
CVSS 4.0	5.3 Medium
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
XAPI Object	`VBD`
XAPI Field	`other_config:task_id, other_config:related_to`
Entry Role	vm-admin
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can spoof the task_id and related_to keys in VBD.other_config to evade leaked VBD detection. These keys are used internally by XAPI to track which task created a VBD and which control domain it belongs to. By injecting false values, an attacker can make malicious VBDs (including those created via BOC-1) appear as legitimate control-domain VBDs, causing the cleanup subsystem to skip them. VBD.other_config has zero map_keys_roles entries - no key is protected at the RBAC level.

Vulnerability Description

VBD.other_config is a Map(String, String) field writable by vm-admin with zero per-key RBAC protection. The task_id and related_to keys are XAPI-internal metadata used for VBD lifecycle tracking.

The code path:

When XAPI creates a VBD internally, it sets task_id to the creating task's OpaqueRef and related_to to the associated VM or control domain reference
The VBD leak detector uses these keys to determine whether a VBD is an orphaned artifact or a legitimate control-domain attachment
A vm-admin sets these keys on a malicious VBD: VBD.add_to_other_config(vbd, "task_id", "<valid_task_ref>") and VBD.add_to_other_config(vbd, "related_to", "<control_domain_ref>")
The leak detector reads the spoofed values and classifies the VBD as legitimate
The malicious VBD persists undetected

No validation occurs. XAPI does not verify that the task_id corresponds to an actual task or that related_to points to a real control domain.

Root Causes

Missing RBAC protection. VBD.other_config has zero map_keys_roles entries in datamodel.ml. The task_id and related_to keys are writable by vm-admin via add_to_other_config.
No reference validation. XAPI does not verify that the task_id value corresponds to a real task or that related_to points to an existing control domain. OpaqueRef strings are accepted without validation.
Security-relevant metadata in user-writable field. Internal tracking data (task_id, related_to) is stored in a field accessible to delegated administrators rather than in a protected internal field.
set_other_config RBAC bypass. The set_other_config method replaces the entire map atomically and bypasses map_keys_roles per-key checks entirely.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

Monitoring and audit systems - trust XAPI metadata to detect orphaned or leaked VBDs
Compliance tools - rely on VBD lifecycle metadata for audit trails

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Leak detection evasion	Spoofed task_id/related_to causes cleanup to skip malicious VBD	vm-admin	Source-traced
BOC-1 persistence	After exploiting BOC-1 (backend-local mount), spoof tracking keys to avoid detection	vm-admin, BOC-1 VBD	Source-traced
Audit trail spoofing	Forge task_id to attribute VBD creation to a different task or administrator	vm-admin	Source-traced

Chaining Analysis

BOC-1 + BOC-5: After creating a malicious VBD via BOC-1 (arbitrary host device mount), the attacker spoofs task_id and related_to to make the VBD appear as a legitimate control-domain attachment. The VBD leak detector skips it, allowing the backdoor to persist undetected.
BOC-5 standalone: Even without BOC-1, spoofing these keys on any VBD corrupts the audit trail and evades lifecycle management.

Detection

Monitor VBD.other_config for writes to task_id and related_to keys from non-internal sessions
Cross-reference task_id values against the actual task database
Alert on related_to values pointing to control domains when the VBD was not created by an internal operation
See rule B-04 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit all VBD.other_config records for unexpected task_id and related_to entries
Cross-validate VBD lifecycle metadata against actual task history
Restrict vm-admin delegated access to trusted administrators only

Long-Term Fix

Add map_keys_roles protection. Restrict task_id and related_to to _R_POOL_ADMIN in the VBD field definition in datamodel.ml.

Validate references. When task_id or related_to is set, verify that the OpaqueRef corresponds to a real object in the database.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0001 (BOC-1 arbitrary host device mount)
XAPI source: datamodel.ml:6815-6818 (VBD.other_config field definition, zero map_keys_roles)
Thematic advisory: disclosure/advisories/boc-1-security-advisory.md (V4)
Investigation: research/investigations/vbd-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0052.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0051 MOKSHA-2026-0053 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk