PatchSiren cyber security CVE debrief
CVE-2024-25062 Siemens CVE debrief
A use-after-free vulnerability exists in libxml2 versions prior to 2.11.7 and 2.12.x prior to 2.12.5. The flaw occurs in the xmlValidatePopElement function when the XML Reader interface is used with DTD validation and XInclude expansion enabled. Processing a crafted XML document under these conditions can trigger memory corruption, potentially leading to denial of service. Siemens SINEC NMS is affected by this vulnerability through its use of the vulnerable libxml2 library. CISA published advisory ICSA-24-228-06 on August 13, 2024, coordinating disclosure with Siemens. The vendor has released version 3.0 to address this issue.
- Vendor
- Siemens
- Product
- SINEC NMS
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-08-13
- Original CVE updated
- 2024-08-13
- Advisory published
- 2024-08-13
- Advisory updated
- 2024-08-13
Who should care
Organizations operating Siemens SINEC NMS for industrial network management should prioritize patching. Security teams in OT/ICS environments using XML processing with libxml2 should assess exposure. System administrators responsible for patch management in industrial control system environments should track this advisory.
Technical summary
The vulnerability is a use-after-free in libxml2's xmlValidatePopElement function. It manifests when the XML Reader interface processes documents with DTD validation and XInclude expansion enabled. An attacker can supply a crafted XML document to trigger the flaw. The impact is primarily denial of service through memory corruption. The CVSS 3.1 vector indicates network attack vector, high attack complexity, no privileges required, no user interaction, and high availability impact.
Defensive priority
medium
Recommended defensive actions
- Upgrade Siemens SINEC NMS to version 3.0 or later per vendor guidance.
- Review XML processing configurations to limit exposure if patching is delayed.
- Monitor CISA ICS advisories for additional affected product announcements.
Evidence notes
The vulnerability is rooted in libxml2's XML Reader interface when DTD validation and XInclude expansion are both enabled. The use-after-free in xmlValidatePopElement can be triggered by crafted XML input. Siemens has confirmed SINEC NMS is affected and provides remediation guidance.
Official resources
-
CVE-2024-25062 CVE record
CVE.org
-
CVE-2024-25062 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Coordinated disclosure via CISA ICS advisory ICSA-24-228-06 published August 13, 2024.