CVE-2024-26903 Linux CVE debrief

Who should care

Industrial control system operators, OT security teams, Siemens SIMATIC S7-1500 TM MFP administrators, manufacturing security engineers, and organizations with Bluetooth-enabled industrial endpoints.

Technical summary

The vulnerability resides in the rfcomm_check_security function within the Linux kernel's Bluetooth RFCOMM protocol implementation. A null pointer dereference occurs when processing security checks, leading to kernel panic and system crash. The attack requires local access and low privileges, with no user interaction needed. The CVSS 3.1 score of 5.5 reflects medium severity with high availability impact but no confidentiality or integrity effects. Siemens has confirmed no patch is currently available for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Implement application whitelisting to ensure only trusted applications are built and executed
• Monitor for anomalous Bluetooth RFCOMM activity on affected systems
• Apply vendor patches when Siemens releases updated firmware
• Review CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

CVE description confirms null-pointer dereference in rfcomm_check_security. CISA ICS advisory ICSA-24-102-01 identifies affected Siemens product. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms local attack vector with availability impact. Advisory remediation section states 'Currently no fix is available' as of last modification.

Official resources