PatchSiren cyber security CVE debrief
CVE-2024-27397 Siemens CVE debrief
CVE-2024-27397 is a vulnerability in the Linux kernel's netfilter nf_tables subsystem affecting Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem. The issue involves a race condition where set elements could expire during unfinished control plane transactions, potentially leading to use-after-free conditions. The vulnerability was resolved by adding a timestamp field at transaction start, stored in the nftables per-netns area, with set backend operations (.insert, .deactivate, sync gc path) using this timestamp rather than current time to prevent element expiration during active transactions. Packet path operations (.lookup, .update) and lockless operations (.get, dump) continue using current time, as does async garbage collection from workqueues. The CVSS 3.1 vector indicates local attack vector, high attack complexity, low privileges required, with high impacts to confidentiality, integrity, and availability. No patch is currently available per the vendor advisory; mitigations focus on restricting interactive shell access to trusted personnel and running only trusted applications.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with enabled GNU/Linux subsystem, OT security teams managing embedded Linux environments in ICS/SCADA infrastructure, and asset owners requiring defense-in-depth strategies where kernel patches are not immediately deployable.
Technical summary
The vulnerability exists in the Linux kernel netfilter nf_tables subsystem's handling of set element timeouts. Without proper timestamp synchronization, set elements could expire while control plane transactions remain unfinished, creating a window for use-after-free exploitation. The fix introduces transaction-scoped timestamps stored in per-netns nftables state, ensuring .insert, .deactivate, and synchronous garbage collection paths evaluate expiration against transaction start time rather than current time. Asynchronous paths (packet processing, lockless lookups, async GC) appropriately retain current time checks. The affected Siemens product embeds a GNU/Linux subsystem where this kernel vulnerability is exposed.
Defensive priority
high
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Execute only applications from trusted sources
- Monitor for vendor security updates from Siemens CERT
- Apply defense-in-depth strategies per CISA ICS recommended practices
- Review network segmentation for industrial control systems running affected products
Evidence notes
Vulnerability description and resolution details sourced from CISA CSAF advisory ICSA-24-102-01. Vendor confirmed as Siemens with affected product SIMATIC S7-1500 TM MFP GNU/Linux subsystem. CVSS 3.1 score 7.0 (HIGH) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. Remediation status indicates no fix available as of advisory publication.
Official resources
-
CVE-2024-27397 CVE record
CVE.org
-
CVE-2024-27397 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09