MOKSHA-2026-0054: MAC Address Collision via VM.other_config mac_seed

Summary

A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can cause MAC address collisions by setting the mac_seed key in VM.other_config to a value copied from another VM. The MAC generation algorithm in xapi_vif_helpers.ml:212-232 uses this seed deterministically - two VMs with the same mac_seed generate identical MAC addresses for the same device IDs. Pool-level duplicate detection exists at xapi_pool.ml:3425-3456 but only runs during pool join and import operations, not during direct add_to_other_config calls. The resulting MAC collisions cause network connectivity failures, ARP table corruption, and traffic misdirection.

Vulnerability Description

VM.other_config is a Map(String, String) field writable by vm-admin. The mac_seed key controls deterministic MAC address generation for VIFs. The key has partial RBAC protection via map_keys_roles for three keys (pci, folder, XenCenter.CustomFields.*), but mac_seed is not among them.

The MAC generation algorithm:

1. xapi_vif_helpers.ml:212-232 reads mac_seed from VM.other_config
2. The seed is hashed iteratively: chain (dev * 2) hash seed where dev is the VIF device index
3. The hash output is formatted as a MAC address in the fe:ff:ff:xx:xx:xx range
4. Two VMs with the same mac_seed produce identical MACs for the same device indices

Attack path:

1. vm-admin reads the mac_seed from VM-A: VM.get_other_config(vm_a)["mac_seed"]
2. Sets the same seed on VM-B: VM.add_to_other_config(vm_b, "mac_seed", "<vm_a_seed>")
3. Creates a VIF on VM-B with the same device index as VM-A's VIF
4. XAPI generates an identical MAC address for VM-B's VIF
5. Both VIFs on the same bridge cause MAC collision

Mitigating factors:

• Pool-level duplicate detection exists (xapi_pool.ml:3425-3456) but only during pool join/import
• Clone operations automatically replace the seed (xapi_vm_clone.ml:274-292)
• Direct add_to_other_config bypasses both mitigations

Root Causes

1. Missing RBAC protection. VM.other_config has map_keys_roles entries for pci, folder, and XenCenter.CustomFields.* only. The mac_seed key is writable by vm-admin without restriction.

2. Incomplete duplicate detection. Pool-level MAC seed validation runs during pool join and import but not during direct other_config key writes. The API path bypasses the safety check.

3. No write-time validation. No format validation is performed when mac_seed is set. Any string is accepted, including seeds copied from other VMs.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
• XCP-ng - all versions (confirmed on 8.3.0)

Indirectly Affected

• Co-located VMs - MAC collisions cause ARP table corruption affecting all VMs on the same bridge
• Network switches - MAC address flapping triggers switch port security mechanisms
• DHCP servers - duplicate MACs receive conflicting lease assignments

Exploitation Scenarios

Chaining Analysis

• BOC-1 + VOC-4: With root access via BOC-1 S3, an attacker can bulk-modify mac_seed on all VMs in the pool, causing widespread MAC collisions and network disruption.
• VOC-4 + VIOC-2: MAC collision (VOC-4) combined with promiscuous mode (VIOC-2) enables targeted traffic interception - the attacker creates a MAC collision to redirect traffic and captures it via promiscuous mode.

Detection

• Monitor VM.other_config for writes to the mac_seed key
• Periodically scan for duplicate mac_seed values across VMs in the pool
• Monitor network switches for MAC address flapping events
• See rule V-04 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit all VM.other_config records for duplicate mac_seed values
• Monitor for MAC address collisions on hypervisor bridges
• Restrict vm-admin delegated access to trusted administrators only

Long-Term Fix

Extend duplicate detection to API writes. Run pool-level mac_seed validation on every add_to_other_config and set_other_config call, not just during pool join/import.

Add map_keys_roles protection. Restrict mac_seed to _R_POOL_ADMIN in the VM field definition in datamodel.ml.

Validate format on write. Enforce UUID format for mac_seed values to prevent arbitrary strings.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• XAPI source: xapi_vif_helpers.ml:212-232 (MAC generation from mac_seed), xapi_pool.ml:3425-3456 (pool-level duplicate detection, import/join only), xapi_vm_clone.ml:274-292 (clone replaces mac_seed), datamodel.ml (VM.other_config field definition)
• Thematic advisory: disclosure/advisories/voc-security-advisory.md (VOC-4)
• Investigation: research/investigations/vm-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.