MOKSHA-2026-0070: Infrastructure Metadata Leak via SR-IOV VIF Xenstore Passthrough

Summary

On XAPI-based hypervisors (XenServer, XCP-ng), arbitrary keys written to VIF.other_config - by administrators, automation tools, or upstream systems - become visible to the guest VM via xenstore when the VIF is backed by an SR-IOV virtual function. The standard VIF code path (Device.Vif.add at device.ml:827-829) applies a whitelist filter restricting keys to 7 known values (promiscuous, ethtool-rx, ethtool-tx, ethtool-sg, ethtool-tso, ethtool-ufo, ethtool-gso). The SR-IOV VIF code path (Device.NetSriovVf.add at device.ml:978-1006) completely omits this filter, passing all other_config keys to Generic.add_device as part of the xenserver_list parameter. These keys are written to a xenstore path with guest-readable permissions (rwperm_for_guest at device.ml:174-176). This violates the assumption that other_config is host-internal metadata.

Vulnerability Description

VIF.other_config is a Map(String, String) field writable by vm-admin with zero map_keys_roles entries. XAPI passes the entire other_config map to xenopsd at xapi_xenops.ml:905.

For standard VIFs, xenopsd applies a whitelist:

(* device.ml:827-829 *)
let other_config =
  List.filter (fun (x, _) -> List.mem x vif_udev_keys) other_config

For SR-IOV VIFs, this filter is absent:

(* device.ml:978-1006 *)
Generic.add_device ~xs device [] [] extra_private_keys
  (extra_xenserver_keys @ other_config) ;

The unfiltered keys are written to the extra_xenserver_path with permissions granting the guest domain read access:

(* device.ml:174-176 *)
t.Xst.mkdirperms extra_xenserver_path
  (Xenbus_utils.rwperm_for_guest device.frontend.domid) ;
t.Xst.writev extra_xenserver_path xenserver_list

This means any key-value pair in VIF.other_config on an SR-IOV VIF is readable by the guest domain via xenstore. Infrastructure metadata that administrators or automation tools write to other_config (e.g., internal identifiers, network topology hints, provisioning tags) becomes visible to the guest. This is an information disclosure that violates the assumption that other_config is a host-side metadata store.

Root Causes

1. Missing whitelist filter on SR-IOV path. The standard VIF path applies a whitelist; the SR-IOV path does not. The same security control exists but is inconsistently applied across code paths.

2. Guest-readable xenstore permissions. The extra_xenserver_path uses rwperm_for_guest, making all written keys readable by the guest domain.

3. Missing RBAC protection. VIF.other_config has zero map_keys_roles entries. Any key can be written by vm-admin.

4. Security equivalence assumption violation. Administrators expect standard VIFs and SR-IOV VIFs to have the same security properties. The missing whitelist breaks this assumption.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared xenopsd codebase)
• XCP-ng - all versions (confirmed via source trace; live verification requires SR-IOV hardware)

Indirectly Affected

• Guest VMs on SR-IOV networks - can read infrastructure metadata from xenstore
• Orchestration platforms - may store internal metadata in VIF.other_config that is now guest-visible
• Network automation tools - provisioning tags and topology hints in other_config are exposed

Exploitation Scenarios

Chaining Analysis

• VIOC-5 + VIOC-1: Infrastructure metadata leak (VIOC-5) is a consequence of the SR-IOV whitelist bypass (VIOC-1). VIOC-1 describes the missing filter; VIOC-5 describes the information disclosure impact.
• BOC-1 + VIOC-5: Root access via BOC-1 enables writing arbitrary metadata to all SR-IOV VIFs' other_config, creating a pool-wide information disclosure channel to guest VMs.

Detection

• Audit SR-IOV VIF xenstore entries for unexpected keys beyond the 7-key whitelist
• Monitor VIF.other_config for writes to SR-IOV-backed VIFs
• Compare xenstore entries between standard VIFs and SR-IOV VIFs on the same host for security posture divergence
• See rule V-05 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit VIF.other_config on SR-IOV VIFs for sensitive metadata
• Remove infrastructure metadata from other_config on SR-IOV-backed VIFs
• Alert on non-whitelisted keys in SR-IOV VIF xenstore entries

Long-Term Fix

Apply whitelist filter to SR-IOV path. Add the same vif_udev_keys whitelist to Device.NetSriovVf.add at device.ml:978-1006. This is a one-line fix:

let other_config =
  List.filter (fun (x, _) -> List.mem x vif_udev_keys) other_config

Audit SR-IOV code path. If the whitelist was missed, other security controls may also be absent. Systematically compare Device.Vif.add and Device.NetSriovVf.add for divergences.

Add map_keys_roles protection. Restrict keys that should not be guest-visible to _R_POOL_ADMIN.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• XAPI source: device.ml:112-115 (vif_udev_keys whitelist definition), device.ml:827-829 (whitelist applied in Device.Vif.add), device.ml:978-1006 (whitelist absent in Device.NetSriovVf.add), device.ml:174-176 (extra_xenserver_path with rwperm_for_guest), xenops_server_xen.ml:4207-4264 (dispatch: standard VIF at line 4238 vs SR-IOV at line 4258), xapi_xenops.ml:905 (full other_config passthrough)
• Thematic advisory: disclosure/advisories/vif-security-advisory.md (VIOC-5)
• Investigation: research/investigations/vif-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.