Reading just the article and going out on a limb, it sounds like they are exploiting the window of valid sequence numbers in a session to enable out of order delivery.
I'd speculate the basic problem in the protocol is that session sequence numbers (counters) can be incremented by sending invalid messages, and there is a window of n plus or minus x, where x is how much the counter/sequence number on a valid message can be off-by and still be processed.
Flooding the session to increment the counter above the valid window would yield undefined behavior in a few ways. When a peer gets desynched, either the client or server may kill the session and require a new negotiation handshake with the peer (a DoS vulnerability) - or it attempts to recalculate the window of counter values it will accept based on its last known good message, which sounds like it effectively causes the valid messages in that chain to "fold" back on themselves in their order.
I'd suspect this was a design decision and understood by the protocol architects.
If you aren't using an CMAC, a ratchet function (or a kdf based on hashing) which proves deterministically what the current sequence of messages is, instead of using a sliding window, you are going to have a similar or analogous sequence number "window" problems in your protocol.
Some message sequence schemes use an obfuscated counter where instead of say, integers, you use some function over a field. (hence GCM, as I loosely apprehend it) But even the seed for that function just becomes another secret to manage (imo), so protocols that depend on counters earn extra scrutiny.
The reason to use sequence numbers (counters) instead of ratcheting or hashing is because sometimes you're just substituting the managability of a sequence number counter window problem with another key management problem that has has a different set of known vulnerabilities, and you make the call based on your threat model.
Perhaps the researchers' actual findings are more complex than this, and it isn't just a gotcha criticism of a design decision that had clear trade offs, which few are equipped to object to.
I'd speculate the basic problem in the protocol is that session sequence numbers (counters) can be incremented by sending invalid messages, and there is a window of n plus or minus x, where x is how much the counter/sequence number on a valid message can be off-by and still be processed.
Flooding the session to increment the counter above the valid window would yield undefined behavior in a few ways. When a peer gets desynched, either the client or server may kill the session and require a new negotiation handshake with the peer (a DoS vulnerability) - or it attempts to recalculate the window of counter values it will accept based on its last known good message, which sounds like it effectively causes the valid messages in that chain to "fold" back on themselves in their order.
I'd suspect this was a design decision and understood by the protocol architects.
If you aren't using an CMAC, a ratchet function (or a kdf based on hashing) which proves deterministically what the current sequence of messages is, instead of using a sliding window, you are going to have a similar or analogous sequence number "window" problems in your protocol.
Some message sequence schemes use an obfuscated counter where instead of say, integers, you use some function over a field. (hence GCM, as I loosely apprehend it) But even the seed for that function just becomes another secret to manage (imo), so protocols that depend on counters earn extra scrutiny.
The reason to use sequence numbers (counters) instead of ratcheting or hashing is because sometimes you're just substituting the managability of a sequence number counter window problem with another key management problem that has has a different set of known vulnerabilities, and you make the call based on your threat model.
Perhaps the researchers' actual findings are more complex than this, and it isn't just a gotcha criticism of a design decision that had clear trade offs, which few are equipped to object to.