PatchSiren cyber security CVE debrief
CVE-2024-27316 Apache Software Foundation CVE debrief
CVE-2024-27316 is a HIGH severity (CVSS 7.5) denial-of-service vulnerability affecting Siemens SINEC NMS. The issue stems from the nghttp2 HTTP/2 library's handling of incoming headers that exceed configured limits. When excessive headers are received, nghttp2 temporarily buffers them to generate an HTTP 413 (Payload Too Large) response. A malicious client can exploit this behavior by continuously sending headers without stopping, causing unbounded memory growth and eventual memory exhaustion on the target system. The vulnerability is network-exploitable with low attack complexity, requires no privileges or user interaction, and results in high availability impact. Siemens has released a vendor fix in SINEC NMS V3.0 SP1 and later versions.
- Vendor
- Apache Software Foundation
- Product
- SINEC NMS
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations operating Siemens SINEC NMS for industrial network management, critical infrastructure operators with OT/ICS environments, security teams responsible for HTTP/2 service hardening, and asset owners following CISA ICS security guidance
Technical summary
The vulnerability exists in how nghttp2 handles HTTP/2 incoming headers that exceed configured limits. Rather than immediately rejecting excessive headers, nghttp2 buffers them temporarily to construct an informative HTTP 413 response. This buffering mechanism becomes a resource exhaustion vector when a client deliberately continues sending headers without terminating the stream. The unbounded memory growth leads to denial of service conditions on affected Siemens SINEC NMS deployments. The issue is classified as CWE-770 (Allocation of Resources Without Limits or Throttling).
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Siemens SINEC NMS to V3.0 SP1 or later version to address the nghttp2 memory exhaustion vulnerability
- Monitor for abnormal HTTP/2 traffic patterns indicating potential exploitation attempts
- Apply network segmentation controls to limit exposure of SINEC NMS management interfaces
- Review and implement CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
The vulnerability description and remediation guidance are derived from CISA CSAF advisory ICSA-24-319-04, which references Siemens security advisory SSA-331112. The CVSS vector confirms network attack vector, low complexity, no privileges required, and high availability impact.
Official resources
-
CVE-2024-27316 CVE record
CVE.org
-
CVE-2024-27316 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12