...
esp4 / esp6 are the kernel-side ESP transforms used by IPsec. Disabling them breaks IPsec tunnels that rely on the kernel data path on the affected machine. Do not apply this mitigation on hosts that terminate or transit IPsec / strongSwan / Libreswan tunnels. rxrpc is the AF_RXRPC transport used almost exclusively by AFS clients and is not present on typical web-hosting servers. (reference: Dirty Frag [CVE Pending]: Mitigation and Kernel Update on CloudLinux)
| Table of Contents |
|---|
What is its relationship with the "Copy Fail" vulnerability?
Copy Fail was the motivation for starting reasearching new researching new vulnerabilities. In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag. (reference V4bel/dirtyfrag)
...