PatchSiren cyber security CVE debrief

CVE-2023-3609 Linux CVE debrief

CVE-2023-3609 is a high-severity local privilege escalation issue tied to a Linux kernel use-after-free in net/sched: cls_u32. In the CISA CSAF advisory for ABB M2M Gateway, the issue is mapped to ABB ARM600 and ABB M2M Gateway software/firmware ranges. For OT environments, the main concern is that an attacker who already has local access or a foothold on the affected system could potentially raise privileges on the device.

Vendor: Linux
Product: SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-06-13
Original CVE updated: 2024-04-09
Advisory published: 2023-06-13
Advisory updated: 2024-04-09

Who should care

ABB ARM600 operators, OT/ICS administrators, Linux-based appliance maintainers, and incident responders responsible for systems running ABB M2M Gateway firmware or software in the affected version ranges.

Technical summary

The advisory describes a use-after-free condition in the Linux kernel's net/sched: cls_u32 component. According to the supplied CSAF data, the flaw can be exploited to achieve local user privilege escalation. The affected products listed are ABB M2M Gateway ARM600 firmware versions 4.1.2 through 5.0.3 and ABB M2M Gateway software versions 5.0.1 through 5.0.3. The CVSS 3.1 vector supplied is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which reflects a local attack path requiring some existing privileges but with potentially full confidentiality, integrity, and availability impact once abused.

Defensive priority

High for exposed or widely accessed OT management systems. The issue is not network-remote per the supplied vector, but local privilege escalation on an appliance used in industrial environments can still materially increase incident impact, especially where administrative access, remote administration paths, or shared support accounts exist.

Recommended defensive actions

Confirm whether ABB ARM600 or ABB M2M Gateway software/firmware is in the affected version ranges: firmware 4.1.2 through 5.0.3 and software 5.0.1 through 5.0.3.
Apply vendor remediation or upgrade guidance from ABB and CISA as soon as it is available for your deployment.
Restrict local access to the appliance and enforce least privilege; use administrator/root privileges only when required.
Avoid exposing the system directly to the internet; if internet exposure is unavoidable, limit inbound access to the minimum required VPN or management ports.
Use firewall allowlisting and, where appropriate, a DMZ to terminate internet-facing connections.
Change default credentials and remove unused accounts or services.
Keep supporting engineering PCs updated and virus-scan configuration files and firmware before transfer.
Maintain verified backups and continuous monitoring to detect anomalous activity on the system.

Evidence notes

Supplied advisory metadata identifies the source as CISA CSAF ICSA-25-105-08, published and modified 2025-04-07T10:30:00Z, with an initial version 1.0.0. The advisory describes a Linux kernel net/sched: cls_u32 use-after-free that can lead to local privilege escalation. Affected product entries in the source data name ABB M2M Gateway ARM600 firmware 4.1.2 <= 5.0.3 and ABB M2M Gateway software 5.0.1 <= 5.0.3. No KEV entry was supplied. Guidance and mitigation language in the source focuses on network segregation, VPN/DMZ use, firewall allowlisting, credential hygiene, privilege minimization, patch hygiene, backups, and monitoring.

Official resources

CISA CSAF advisory ICSA-25-105-08 for ABB M2M Gateway was published on 2025-04-07T10:30:00Z and lists CVE-2023-3609. The advisory was initially versioned 1.0.0 on the same date. No KEV designation was supplied in the provided corpus.