CVE-2024-35789 Linux CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with enabled GNU/Linux subsystems, particularly those utilizing Wi-Fi connectivity with VLAN segmentation. OT security teams, industrial network administrators, and asset owners in manufacturing, process control, and critical infrastructure sectors should prioritize access controls and monitoring for this vulnerability.

Technical summary

The vulnerability resides in the mac80211 subsystem's fast path receive (fast_rx) optimization. When a station is moved out of a VLAN and that VLAN is subsequently deleted, the fast_rx structure retains a dangling pointer to the VLAN's net_device. Subsequent packet processing through the fast_rx path dereferences this freed pointer, causing use-after-free memory corruption. The fix ensures ieee80211_check_fast_rx is called immediately after VLAN changes to invalidate stale fast_rx entries.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Build and run applications exclusively from trusted sources
• Monitor for kernel updates from Siemens that may address this vulnerability
• Apply defense-in-depth strategies for industrial control system environments
• Review network segmentation to limit exposure of affected devices

Evidence notes

The vulnerability description is sourced from CISA ICS Advisory ICSA-24-102-01, which references Siemens Security Advisory SSA-265688. The issue was resolved in the Linux kernel by adding a check to clear fast_rx entries when VLAN changes occur for non-4addr stations. Siemens has confirmed this vulnerability affects the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP devices.

Official resources