PatchSiren cyber security CVE debrief
CVE-2022-3643 Siemens CVE debrief
A guest virtual machine can trigger a network interface controller (NIC) reset, abort, or crash in Linux-based network backends by sending specially crafted packets with split protocol headers. The vulnerability stems from netback forwarding packets that violate the Linux network stack's assumption that protocol headers reside entirely within the linear section of socket buffers (SKBs). This misbehavior has been observed with Cisco (enic) and Broadcom NetXtreme II BCM5780 (bnx2x) NICs and drivers, though other hardware may be affected. The issue is rated CVSS 3.1 6.5 (Medium) with a local attack vector, low attack complexity, and high availability impact.
- Vendor
- Siemens
- Product
- SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0)
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-06-11
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-06-11
Who should care
Organizations operating virtualized industrial control systems using Siemens SIMATIC or SIPLUS communication processors with embedded Linux networking stacks, particularly those employing Xen virtualization or similar paravirtualized network backends. System administrators responsible for OT/ICS network infrastructure and security teams managing hybrid IT/OT environments should prioritize assessment and patching.
Technical summary
The vulnerability exists in the Linux netback driver used in virtualized environments, particularly Xen. When a guest VM sends network packets with split protocol headers (where headers span non-contiguous memory regions), netback forwards these to the networking core without ensuring headers fit within the SKB linear section. This violates assumptions made by some NIC drivers, causing hardware resets or crashes. The issue affects Cisco enic and Broadcom bnx2x drivers specifically, with potential impact on other hardware. Siemens industrial communication processors running affected Linux versions are vulnerable to guest-induced network disruption.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to version 2.3 or later for affected Siemens SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS ET 200SP communication modules
- Segment industrial control networks from enterprise IT networks and internet access to limit exposure of vulnerable devices
- Monitor network traffic for anomalous patterns that may indicate attempted exploitation of virtualized networking components
- Implement defense-in-depth strategies including access controls and monitoring for virtualized infrastructure per CISA ICS recommended practices
- Review and update network driver configurations to ensure compatibility with security assumptions in the Linux networking stack
Evidence notes
The vulnerability description indicates this affects Linux-based network backends in virtualized environments where netback is used. The issue was originally identified in the Xen netback driver context. Siemens has confirmed this affects multiple SIMATIC and SIPLUS industrial communication processors that incorporate affected Linux networking components.
Official resources
-
CVE-2022-3643 CVE record
CVE.org
-
CVE-2022-3643 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-11