PatchSiren cyber security CVE debrief
CVE-2023-4039 Siemens CVE debrief
A vulnerability in GCC-based toolchains targeting AArch64 allows attackers to bypass the -fstack-protector security feature when exploiting buffer overflows in dynamically-sized local variables (C99 VLA or alloca()). While stack protection works correctly for statically-sized variables, the failure to protect dynamic allocations enables undetected exploitation of existing buffer overflow conditions. Successful exploitation could lead to uncontrolled loss of availability, or potentially confidentiality and integrity impacts through program flow control manipulation.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial Ethernet switches. Development teams building AArch64 applications with GCC using variable-length arrays or alloca(). Industrial control system operators relying on stack protection as a security control. Security teams assessing compiler-level security guarantees in embedded and industrial environments.
Technical summary
The -fstack-protector compiler feature in GCC-based toolchains for AArch64 fails to insert stack canaries around C99 dynamically-sized local variables (variable-length arrays) and alloca()-allocated memory. This compiler-level weakness allows existing buffer overflow vulnerabilities in such variables to be exploited without triggering the stack protector's overflow detection mechanism. The vulnerability is architectural to the toolchain rather than application-specific, affecting any AArch64 binary compiled with affected GCC versions that uses these dynamic allocation patterns. Statically-sized local variables remain properly protected.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family to V3.2 or later per Siemens guidance
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT SSA-355557 for specific configuration guidance and available updates
- Review application code for use of C99 variable-length arrays or alloca() in AArch64-targeted builds compiled with GCC
- Consider static analysis and manual code review to identify potential buffer overflow conditions in dynamically-sized local variables
- Implement defense-in-depth controls including network segmentation, access restrictions, and monitoring for industrial control systems as recommended by CISA ICS-CERT practices
Evidence notes
CISA ICS advisory ICSA-25-226-07 published 2025-08-12 documents this vulnerability affecting Siemens industrial networking products. The advisory was republished 2026-02-25 based on Siemens ProductCERT SSA-355557. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N indicates network attack vector with high complexity, no privileges required, and low impact to confidentiality and integrity with no availability impact when the stack protector functions as designed.
Official resources
-
CVE-2023-4039 CVE record
CVE.org
-
CVE-2023-4039 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12