PatchSiren cyber security CVE debrief

CVE-2023-52474 Siemens CVE debrief

CVE-2023-52474 is a HIGH severity vulnerability (CVSS 7.8) in the Linux kernel's IB/hfi1 driver affecting user SDMA request processing. The vulnerability stems from two bugs in handling multi-iovec user SDMA requests where an iovec other than the tail iovec does not run up to the page boundary. First, user_sdma_txadd() ignores struct user_sdma_iovec->iov.iov_len and may add up to PAGE_SIZE bytes from an iovec, including bytes past the intended length. Second, user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec when the current iovec is not PAGE_SIZE and lacks sufficient data to complete a packet, causing transmitted packets to contain wrong data. The vulnerability also exposes additional bugs in the SDMA pin cache (mmu_rb_handler) including duplicate pinnings from overlapping memory ranges, race conditions during entry extension, refcount handling issues outside of locks, and use-after-free conditions in failure paths. Siemens has identified this vulnerability affects SIPLUS TIM 1531 IRC and TIM 1531 IRC industrial communication modules. The issue was resolved in the Linux kernel and Siemens has released firmware updates. This vulnerability was not previously exploitable through hfi1 Verbs or PSM2 as they only produce iovecs ending short of PAGE_SIZE as tail iovecs.

Vendor: Siemens
Product: SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0)
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-06-11
Original CVE updated: 2024-07-09
Advisory published: 2024-06-11
Advisory updated: 2024-07-09

Who should care

Organizations operating Siemens TIM 1531 IRC industrial communication modules, Linux systems utilizing Intel Omni-Path (hfi1) InfiniBand adapters with user SDMA functionality, industrial control system operators requiring data integrity in high-performance networking environments, and security teams managing kernel-level vulnerabilities in operational technology networks.

Technical summary

The vulnerability exists in the IB/hfi1 driver's user SDMA (Synchronous Direct Memory Access) request processing logic. The primary bugs involve incorrect handling of iovec structures: user_sdma_txadd() disregards the iov_len field and may read beyond intended buffer boundaries up to PAGE_SIZE, and fails to properly advance through iovec arrays when current buffers are insufficient for packet completion. Secondary bugs in the mmu_rb_handler (SDMA pin cache) include: duplicate page pinnings from overlapping ranges, race conditions during entry extension with lock release/reacquisition, refcount increments outside critical sections enabling eviction races, and use-after-free conditions when SDMA requests complete after failure-path node deallocation. These issues collectively enable data corruption and potential memory safety violations in kernel space.

Defensive priority

high

Recommended defensive actions

Apply vendor-provided firmware updates to version V2.4.8 or later for affected Siemens TIM 1531 IRC devices
Review and update Linux kernel installations to include the IB/hfi1 fix for user SDMA request processing
Monitor for anomalous network behavior or data integrity issues on affected industrial communication systems
Implement network segmentation for industrial control systems per CISA recommended practices
Validate SDMA request handling in custom applications utilizing hfi1 driver functionality

Evidence notes

Vulnerability description derived from CISA CSAF advisory ICSA-24-165-06 and Siemens security advisory SSA-337522. The Linux kernel fix addresses multiple bugs in IB/hfi1 user SDMA processing and mmu_rb_handler cache management. Siemens product impact confirmed through CSAF product tree with high confidence.

Official resources

2024-06-11