PatchSiren cyber security CVE debrief

CVE-2023-35829 Siemens CVE debrief

A use-after-free vulnerability exists in the Rockchip VDEC driver (rkvdec) within the Linux kernel before version 6.3.2. The flaw occurs in the rkvdec_remove function located at drivers/staging/media/rkvdec/rkvdec.c. This vulnerability has been identified as affecting Siemens industrial control system products, specifically the TIM 1531 IRC communication modules used in industrial automation environments. The use-after-free condition could potentially allow an attacker with local access to execute arbitrary code or cause a denial of service condition. The vulnerability was published on June 11, 2024, and subsequently modified on July 9, 2024, with the modification reflecting updates to related CVE-2023-27321 information in the source advisory. Siemens has released a vendor fix requiring update to version 2.4.8 or later.

Vendor: Siemens
Product: SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0)
CVSS: HIGH 7
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-06-11
Original CVE updated: 2024-07-09
Advisory published: 2024-06-11
Advisory updated: 2024-07-09

Who should care

Organizations operating Siemens TIM 1531 IRC industrial communication modules in critical infrastructure environments, including utilities, transportation, and manufacturing sectors. Security teams responsible for industrial control system (ICS) asset management and vulnerability remediation. System integrators deploying Siemens telecontrol solutions should prioritize firmware updates. Organizations subject to NERC CIP or other critical infrastructure cybersecurity regulations should assess exposure and document remediation timelines.

Technical summary

The vulnerability is a use-after-free in the rkvdec_remove function of the Rockchip VDEC driver in Linux kernel versions prior to 6.3.2. The rkvdec driver is part of the staging media subsystem and handles video decoding for Rockchip SoCs. A use-after-free in the remove path suggests that during driver unbinding or device removal, a memory resource may be accessed after it has been freed, potentially leading to memory corruption. In the context of Siemens TIM 1531 IRC devices, which are industrial telecontrol modules used for remote monitoring and control in critical infrastructure, this kernel-level vulnerability could be exploited if an attacker has local access to the underlying Linux-based system. The CVSS score of 7.0 (HIGH) reflects significant impact potential despite the local attack vector and high attack complexity. The vendor fix requires updating affected devices to firmware version 2.4.8 or later, available through the Siemens Industry Online Support portal.

Defensive priority

HIGH

Recommended defensive actions

Apply vendor-provided firmware update to version 2.4.8 or later for affected Siemens TIM 1531 IRC devices
Verify current firmware version on deployed SIPLUS TIM 1531 IRC and TIM 1531 IRC modules
Implement network segmentation for industrial control systems to limit exposure of affected devices
Follow CISA ICS recommended practices for defense-in-depth strategies
Monitor Siemens ProductCERT portal for additional security updates related to SSA-337522

Evidence notes

The vulnerability description is sourced from CISA ICS Advisory ICSA-24-165-06, which references Siemens Security Advisory SSA-337522. The affected products are SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) and TIM 1531 IRC (6GK7543-1MX00-0XE0). The CVSS 3.1 vector indicates local attack vector with high attack complexity, requiring low privileges but no user interaction, with high impact across confidentiality, integrity, and availability. The remediation specifies update to V2.4.8 or later version with reference to Siemens support portal.

Official resources

2024-06-11