Linux Kernel IPSec Extended Sequence Number Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's handling of Extended Sequence Number (ESN) updates in IPSec full offload mode. When the device reports an ESN wrap event, the driver must validate this event and then re-arm the context to prevent reprocessing the same update. However, the current handling introduces a race condition, allowing the event to be processed twice. This mismanagement causes the ESN high-order bits to be incorrectly incremented, leading the driver to program the hardware with an invalid ESN state. The consequence is anti-replay failures and a complete halt of IPSec traffic.

Impact

Exploitation of this vulnerability causes anti-replay failures in IPSec, leading to a complete disruption of IPSec traffic.

Reproduction

To reproduce this vulnerability, enable IPSec full offload mode on a device using the affected Linux kernel. Once the ESN wrap event is triggered, the driver will validate the event and update the xfrm state. However, due to the introduced race condition, the same ESN update can be processed twice, causing the high-order bits to be incremented incorrectly. This can be observed by monitoring the IPSec traffic, which will experience a complete halt due to the anti-replay failures caused by the invalid ESN state.

Remediation

The vulnerability has been addressed by modifying the driver to re-arm the ESN event immediately after validation, before updating the xfrm state. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.