MOKSHA-2026-0077: VIF NIC Offload Disablement via VIF.other_config ethtool Keys

Summary

A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable NIC offload features on virtual network interfaces by setting ethtool-tso=off, ethtool-gso=off, and other ethtool-* keys in VIF.other_config. The VIF hotplug script (vif-real:85-97) reads these keys from xenstore and executes /sbin/ethtool -K <dev> <feature> <on|off> on the VIF backend device. Disabling offloads forces the host CPU to perform TCP/UDP segmentation in software for that VIF's traffic, increasing CPU utilization. When offloads are disabled on multiple VIFs, the cumulative effect degrades host performance for all co-located VMs. The VIF.other_config field has zero map_keys_roles entries.

Vulnerability Description

VIF.other_config is a Map(String, String) field defined at datamodel.ml:3914-3917 with no ~writer_roles override and no ~map_keys_roles. It inherits _R_VM_ADMIN from the VIF class default.

For standard VIFs, xenopsd applies a whitelist filter at device.ml:827-829 that restricts the keys written to xenstore to 7 known values: promiscuous, ethtool-rx, ethtool-tx, ethtool-sg, ethtool-tso, ethtool-ufo, ethtool-gso. The ethtool keys pass through the whitelist.

The VIF hotplug script at vif-real:85-97:

handle_ethtool()
{
    local opt=$1
    local arg=$(xenstore-read "${PRIVATE}/other-config/ethtool-${opt}" 2>/dev/null)
    if [ $? -eq 0 -a -n "${arg}" ] ; then
        case "${arg}" in
            true|on)   /sbin/ethtool -K "${dev}" "${opt}" on ;;
            false|off) /sbin/ethtool -K "${dev}" "${opt}" off ;;
            *) logger -t scripts-vif "Unknown ethtool argument ..." ;;
        esac
    fi
}

The script validates values against true|on|false|off - this is adequate value validation. Invalid values are logged and ignored. The security concern is the missing RBAC: a vm-admin can disable offloads on any VIF they control, affecting host-level CPU utilization.

The offload features controllable from VIF.other_config:

• ethtool-rx - receive checksum offload
• ethtool-tx - transmit checksum offload
• ethtool-sg - scatter-gather
• ethtool-tso - TCP segmentation offload
• ethtool-ufo - UDP fragmentation offload
• ethtool-gso - generic segmentation offload

Root Causes

1. Missing RBAC protection. VIF.other_config has zero map_keys_roles entries. All ethtool-* keys are writable by vm-admin, the lowest delegated management role.

2. Host-level impact from VM-level operation. Disabling offloads on a VIF backend device increases host CPU utilization, affecting all co-located VMs - not just the VIF's own VM.

3. No rate limiting or aggregate impact assessment. XAPI does not limit how many VIFs can have offloads disabled or assess the cumulative CPU impact.

4. set_other_config RBAC bypass. The set_other_config method replaces the entire map atomically and bypasses map_keys_roles per-key checks.

Affected Systems

Directly Affected

• XenServer / Citrix Hypervisor - all versions (shared xenopsd + vif-real script)
• XCP-ng - all versions (confirmed via source trace and live key injection test)

Indirectly Affected

• Co-located VMs - host CPU consumed by software segmentation reduces available CPU for other VMs
• Host management - management operations may slow when CPU is saturated by network processing

Exploitation Scenarios

Chaining Analysis

• VIOC-4 + VIOC-2 (MOKSHA-2026-0021): Disabling offloads (VIOC-4) combined with enabling promiscuous mode (VIOC-2) on the same VIF increases both CPU load (software segmentation) and network exposure (traffic sniffing).
• VIOC-4 + VIOC-3 (MOKSHA-2026-0053): Offload disablement combined with MTU manipulation creates compound network performance degradation.
• BOC-1 + VIOC-4: BOC-1 root access enables bulk modification of all VIF other_config entries, disabling offloads on every VIF in the pool.

Detection

• Monitor VIF.other_config for ethtool-* key changes
• Alert on offload disablement (=off or =false) on VIF backend devices
• Monitor host CPU utilization for network softirq anomalies
• See rule V-04 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

• Audit all VIF.other_config entries for unexpected ethtool-* settings
• Monitor NIC offload state on VIF backend devices
• Restrict vm-admin access to VIFs that require offload tuning

Long-Term Fix

Add map_keys_roles protection. Restrict ethtool-* keys to _R_POOL_ADMIN in datamodel.ml. NIC offload configuration on a VIF backend device is a host infrastructure operation, not a VM administration operation.

Move offload control to a dedicated field. Replace the ethtool-* other_config keys with a dedicated VIF field that has proper RBAC and validation.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

• Public release: 2026-04-24 08:00 CEST
• CERT/CC notified: 2026-04-23
• MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
• EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
• Vendor (Cloud Software Group / Citrix): not contacted pre-publication
• Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

• Related MOKSHA IDs: MOKSHA-2026-0021 (VIOC-2), MOKSHA-2026-0029 (VIOC-1), MOKSHA-2026-0053 (VIOC-3), MOKSHA-2026-0070 (VIOC-5)
• XAPI source: datamodel.ml:3914-3917 (VIF.other_config field definition, zero map_keys_roles), device.ml:112-115 (vif_udev_keys whitelist), device.ml:827-829 (whitelist filter in Vif.add), vif-real:85-97 (ethtool script with value validation)
• Thematic advisory: disclosure/advisories/vif-security-advisory.md (VIOC-4)
• Investigation: research/investigations/vif-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.