CVE-2024-27395 Siemens CVE debrief

Who should care

Organizations running Siemens SINEC OS on SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, or RUGGEDCOM RST2428P devices; Linux system administrators using Open vSwitch with connection tracking; industrial network operators relying on Open vSwitch for software-defined networking in operational technology environments.

Technical summary

The vulnerability stems from improper RCU synchronization in the Open vSwitch connection tracking limit cleanup routine. The `ovs_ct_limit_exit` function uses `hlist_for_each_entry_rcu` for hash list traversal, but the `kfree_rcu` call that frees entries is not protected within the same RCU read-side critical section. This creates a race condition where the RCU grace period may elapse between traversal and deallocation, resulting in use-after-free access to freed memory. The resolution replaces the RCU-safe traversal with `hlist_for_each_entry_safe`, which permits safe removal during iteration without relying on RCU grace period guarantees.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor fix: Update Siemens SINEC OS to V3.1 or later version
• Review network segmentation for affected SCALANCE and RUGGEDCOM devices
• Monitor for anomalous local process behavior on affected systems
• Follow CISA ICS recommended practices for defense in depth
• Verify kernel patch status for non-Siemens Linux deployments using Open vSwitch

Evidence notes

CVE published 2025-08-12 per CISA CSAF advisory ICSA-25-226-15. Advisory modified 2026-02-25 with republication based on Siemens ProductCERT SSA-613116. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates local attack vector with low complexity, low privileges required, and high impact across confidentiality, integrity, and availability.

Official resources