Linux Kernel Duplicate SPI Handling Vulnerability in XFRM Module

A vulnerability has been identified in the Linux kernel's XFRM (IPsec transformation) module, specifically in the handling of Security Parameter Index (SPI) values for inbound Security Associations (SAs). This issue arises when Strongswan sends an XFRM_MSG_ALLOCSPI Netlink message, which invokes the xfrm_alloc_spi() function. This function is supposed to guarantee the uniqueness of SPI values for inbound SAs. However, it can incorrectly indicate success even when the requested SPI is already in use. This flaw leads to duplicate SPIs being assigned to multiple inbound SAs, with the only distinction being their destination addresses. Such duplication creates inconsistencies during SPI lookups for inbound packets, as the lookup may return an arbitrary SA among those sharing the same SPI, potentially causing packet processing failures and drops. This issue contradicts RFC 4301, section 4.4.2, which states that a unicast SA is uniquely identified by the SPI and optionally the protocol.

Impact

The vulnerability causes duplicate SPIs to be assigned to inbound Security Associations, leading to arbitrary SAs being selected during SPI lookups for inbound packets. This can disrupt normal packet processing, causing packets to be dropped.

Reproduction

To reproduce this vulnerability, configure the SPI range in the Strongswan charon configuration file to limit the available SPIs to only two usable values. After setting the SPI range, create more than two Child SAs, each with a unique pair of source and destination addresses. Once the third Child SA is initiated, it will be assigned a duplicate SPI, as the SPI pool will be exhausted. This issue can be consistently reproduced with a narrow SPI range, while it becomes rare and unpredictable with a broader or default range.

Remediation

Users can update to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux kernel documentation.