CVE-2022-39189 Siemens CVE debrief

Who should care

Organizations operating Siemens TIM 1531 IRC or SIPLUS TIM 1531 IRC industrial communication modules in virtualized environments; OT security teams managing KVM-based virtualization infrastructure; system administrators responsible for Linux kernel maintenance in industrial control systems; compliance officers tracking CVE remediation for critical infrastructure assets.

Technical summary

The vulnerability exists in the x86 KVM (Kernel-based Virtual Machine) subsystem where TLB flush operations are improperly handled when KVM_VCPU_PREEMPTED conditions occur. This race condition allows unprivileged guest users to manipulate memory translation caching mechanisms, leading to guest kernel compromise. The flaw is local to the guest environment with low attack complexity, requiring only low privileges but no user interaction. Impact is severe with high ratings for confidentiality, integrity, and availability breaches within the affected guest system.

Defensive priority

HIGH

Recommended defensive actions

• Apply Siemens firmware update V2.4.8 or later to affected TIM 1531 IRC devices
• Validate guest kernel versions in virtualized environments are 5.18.17 or later
• Review and implement CISA ICS recommended practices for defense-in-depth
• Monitor for anomalous privilege escalation activity within guest VMs
• Assess exposure of affected devices to untrusted guest users or workloads

Evidence notes

CVE published 2024-06-11; modified 2024-07-09. CISA ICS advisory ICSA-24-165-06 published same date. Siemens SSA-337522 provides vendor remediation guidance. CVSS 7.8 HIGH severity with local attack vector, low attack complexity, and high impact to confidentiality, integrity, and availability.

Official resources