PatchSiren cyber security CVE debrief
CVE-2023-35788 Siemens CVE debrief
CVE-2023-35788 is a high-severity vulnerability in the Linux kernel's flower classifier code, specifically in the `fl_set_geneve_opt` function within `net/sched/cls_flower.c`. The flaw allows an out-of-bounds write when processing TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets, potentially leading to denial of service or privilege escalation. The vulnerability affects Linux kernel versions prior to 6.3.7. Siemens has identified this vulnerability as affecting their TIM 1531 IRC industrial communication modules, including both the standard variant (6GK7543-1MX00-0XE0) and the SIPLUS extended temperature range variant (6AG1543-1MX00-7XE0). The issue was published on June 11, 2024, with the advisory last modified on July 9, 2024. Siemens has released firmware version V2.4.8 or later to address this vulnerability. Given the affected products are industrial communication devices used in OT environments, organizations should prioritize patching, especially for systems with network exposure or those handling critical infrastructure communications.
- Vendor
- Siemens
- Product
- SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-13
- Original CVE updated
- 2024-02-13
- Advisory published
- 2024-02-13
- Advisory updated
- 2024-02-13
Who should care
Organizations operating Siemens TIM 1531 IRC industrial communication modules in OT/ICS environments; network administrators managing GENEVE-based network virtualization; security teams responsible for Linux kernel security in embedded industrial systems; infrastructure operators relying on TIM 1531 IRC for remote telecontrol and WAN communications.
Technical summary
The vulnerability exists in the `fl_set_geneve_opt` function in `net/sched/cls_flower.c` of the Linux kernel. When processing TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets for the flower traffic classifier, improper bounds checking allows an out-of-bounds write. This can be exploited by an attacker with local access and low privileges to achieve denial of service or privilege escalation. The GENEVE (Generic Network Virtualization Encapsulation) protocol is used for network virtualization overlays, and the flower classifier is a key component of the Linux kernel's traffic control subsystem. The flaw was resolved in Linux kernel 6.3.7. Siemens TIM 1531 IRC devices, which utilize embedded Linux, are affected and require firmware updates to incorporate the kernel fix.
Defensive priority
high
Recommended defensive actions
- Update affected Siemens TIM 1531 IRC devices to firmware version V2.4.8 or later
- Review network segmentation to limit exposure of affected industrial communication modules
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Monitor for anomalous network traffic involving GENEVE encapsulation options
- Prioritize patching for devices with network-facing configurations or critical infrastructure roles
Evidence notes
Vulnerability confirmed in Linux kernel before 6.3.7; Siemens TIM 1531 IRC products affected per CISA ICS advisory ICSA-24-165-06. CVSS 3.1 score of 7.8 (HIGH) with local attack vector, low attack complexity, and low privileges required. Out-of-bounds write in flower classifier GENEVE option processing.
Official resources
-
CVE-2023-35788 CVE record
CVE.org
-
CVE-2023-35788 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-11