MOKSHA-2026-0068: Guest Xenstore Data Injection via VM.platform Map

Summary

A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary key-value pairs into VM.platform, and the entire platform map is written to guest-visible xenstore at /local/domain/<domid>/platform/ during domain creation. The bulk write at domain.ml:486 dumps all platform keys - including attacker-injected keys alongside legitimate hypervisor configuration - into guest xenstore without filtering. Guest operating systems and guest agents that read the platform xenstore path treat all entries as trusted hypervisor configuration. There is no mechanism for the guest to distinguish legitimate keys from injected keys. The VM.platform field has zero map_keys_roles entries.

Vulnerability Description

VM.platform is a Map(String, String) field defined at datamodel_vm.ml:2717-2720 with no ~map_keys_roles parameter. All keys are writable by vm-admin.

During domain creation, xenopsd writes the entire platform map to guest xenstore:

(* domain.ml:486 *)
xs.Xs.writev (dom_path ^ "/platform") vm_info.platformdata ;

This is a bulk write operation that dumps every key-value pair in the platform map into the guest xenstore path /local/domain/<domid>/platform/. Live xenstore examination confirms all platform keys are visible to the guest, including security-sensitive keys like featureset, nx, pae, and device_id.

The attack:

1. vm-admin injects arbitrary keys: VM.add_to_platform(vm, "custom-config-url", "https://evil.example.com/config")
2. VM starts - domain creation writes all platform keys to guest xenstore
3. Guest agent reads /local/domain/<domid>/platform/custom-config-url
4. Guest agent treats the value as hypervisor-provided configuration

The guest has no cryptographic or structural mechanism to verify the provenance of platform keys. All entries under /local/domain/<domid>/platform/ are equally trusted.

Root Causes

1. Unfiltered bulk write. The entire platform map is dumped to guest xenstore without any key filtering. Both legitimate hypervisor configuration and arbitrary user-injected keys are written identically.

2. Missing RBAC protection. VM.platform has zero map_keys_roles entries. Unlike VM.other_config which restricts pci, folder, and XenCenter.CustomFields.*, the platform field has no per-key access control.

3. No guest-visible key whitelist. There is no allowlist defining which platform keys are intended to be guest-visible. All keys are exposed, including security-critical ones.

4. No write-time validation. Platform keys are validated only at VM start time via Vm_platform.sanity_check, not when they are written. The sanity_check is a key-name allowlist, not a value validator.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared XAPI + xenopsd codebase)
• XCP-ng - all versions (confirmed on 8.3.0, live xenstore dump verified)

Indirectly Affected

• Guest agents - read platform xenstore keys as trusted hypervisor configuration
• Guest operating systems - may use platform keys for auto-configuration
• Guest-side monitoring tools - consume platform data without provenance verification

Exploitation Scenarios

Chaining Analysis

• PLAT-4 + PLAT-5: Guest xenstore injection (PLAT-4) and hypervisor feature manipulation (PLAT-5) both exploit the same field. PLAT-4 exposes data to the guest; PLAT-5 modifies hypervisor behavior.
• BOC-1 + PLAT-4: Root access via BOC-1 enables bulk injection of arbitrary platform keys across all VMs in the pool, creating pool-wide guest agent configuration hijacking.

Detection

• Monitor VM.platform writes for keys not in the standard platform key set
• Audit guest xenstore /local/domain/*/platform/ for unexpected entries
• Alert on platform key additions outside of normal VM provisioning workflows
• See rule P-04 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit VM.platform records for unexpected keys
• Monitor platform key writes by vm-admin sessions
• Review guest agents for dependencies on platform xenstore data

Long-Term Fix

Filter platformdata before xenstore write. Define a whitelist of keys intended to be guest-visible and filter the platform map before the bulk write at domain.ml:486. Do not dump the entire map to guest xenstore.

Add map_keys_roles to VM.platform. Restrict security-critical keys to _R_POOL_ADMIN. Allow vm-admin to set only cosmetic keys (e.g., timeoffset, vga).

Add write-time validation. Validate platform key values when they are set, not only when the VM starts.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• XAPI source: datamodel_vm.ml:2717-2720 (field definition, no map_keys_roles), domain.ml:486 (bulk write of entire platformdata to guest xenstore), vm_platform.ml:1-271 (sanity_check validates key names at start time, not values at write time), xapi_xenops.ml:1257-1264 (platformdata extraction with optional No_platform_filter bypass)
• Thematic advisory: disclosure/advisories/plat-security-advisory.md (PLAT-4)
• Investigation: research/investigations/vm-platform.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.