MOKSHA-2026-0063: Negative kbps Injection in VIF.qos_algorithm_params

Advisory IDMOKSHA-2026-0063
Semantic IDVQP-3
Published2026-04-24
CVSS 3.15.3 Medium
CVSS 3.1 VectorAV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 4.05.3 Medium
CVSS 4.0 VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
XAPI ObjectVIF
XAPI Fieldqos_algorithm_params:kbps
Entry Rolevm-admin
ResearcherJakob Wolffhechel, Moksha

Affected Products

VendorProductVersions
Citrix / Cloud Software GroupXenServer / Citrix Hypervisorall versions (shared XAPI codebase)
VatesXCP-ng8.3.0

Summary

A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject negative kbps values into VIF.qos_algorithm_params. XAPI parses the value via Int64.of_string at xapi_xenops.ml:795 without any sign check or range validation. When the VIF is plugged, xenopsd computes a negative bytes_per_interval, which fails the bounds check at device.ml:850 (bytes_per_interval > 0L), causing the rate limit to be silently dropped. The XAPI database shows kbps=-1 (or any negative value) as the configured rate while no rate is enforced in xenstore. This creates an observability gap where administrators believe rate limiting is active when it is not.

Vulnerability Description

VIF.qos_algorithm_params is a Map(String, String) field writable by vm-admin with zero per-key RBAC. The kbps key is parsed with Int64.of_string, which accepts negative integers.

The code path:

  1. vm-admin sets kbps=-1: VIF.add_to_qos_algorithm_params(vif, "kbps", "-1")
  2. XAPI parses via Int64.of_string at xapi_xenops.ml:795 - negative value accepted
  3. Rate tuple (-1L, 0L) is passed to xenopsd
  4. xenopsd computes at device.ml:835-856:
    • timeslice_us defaults to 50000L (since 0L <= 0L)
    • bytes_per_interval = ((-1) * 1024 * 50000) / 1000000 = -51200
  5. Bounds check: -51200 > 0L is false - rate is silently dropped
  6. No rate key is written to xenstore
  7. VIF operates without rate limiting

Additionally, the raw negative kbps value is written to the private xenstore path at device.ml:920-927 as Int64.to_string rate. While private xenstore is only dom0-readable and the value is integer-formatted (no path injection possible), the negative value persists as an anomalous entry.

Root Causes

  1. Missing sign validation. Int64.of_string accepts negative integers. No check enforces kbps > 0 at the XAPI layer.

  2. Silent rejection at consumer. xenopsd correctly rejects the negative computed rate but emits only a debug-level log message. The rejection is invisible to the management layer.

  3. Database-xenstore state divergence. The XAPI database stores the negative value. Xenstore has no rate key. Monitoring tools that read the database report rate limiting as configured.

  4. Missing RBAC protection. Zero map_keys_roles entries on the field. Any vm-admin can set arbitrary kbps values.

Affected Systems

Directly Affected

Indirectly Affected

Exploitation Scenarios

Scenario Impact Pre-conditions Status
Silent rate limit removal VIF operates without rate limiting while XAPI shows negative kbps vm-admin, ratelimit QoS type Confirmed (live host)
Monitoring confusion Management tools display negative rate value, confusing operators vm-admin Source-traced
Audit evasion Rate limiting appears configured with a value that is syntactically valid but semantically invalid vm-admin, compliance monitoring Source-traced

Chaining Analysis

Detection

Remediation

Short-Term Mitigations

Long-Term Fix

Add write-time validation. Reject negative kbps values at the XAPI API layer. Enforce kbps > 0 and optionally kbps <= 100000000 (100 Gbps upper bound).

Propagate rejection errors. When xenopsd rejects a rate value, return an error to the XAPI caller rather than silently dropping the rate.

Add map_keys_roles protection. Restrict the kbps key to _R_POOL_OP to prevent vm-admin from modifying rate limits.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

References

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk