PatchSiren cyber security CVE debrief
CVE-2024-27431 Siemens CVE debrief
This CVE addresses an uninitialized memory vulnerability in the Linux kernel's cpumap subsystem that affects XDP (eXpress Data Path) program execution. When an XDP program is attached to a cpumap entry, the xdp_rxq_info data structure within the xdp_buff backing the XDP program invocation was not zero-initialized. This causes XDP programs running in cpumap to return random memory contents as the xdp_md->rx_queue_index value, potentially leading to information disclosure or unpredictable behavior in network packet processing logic that depends on accurate queue index values. The vulnerability was resolved by zero-initializing the rxq data structure before XDP program execution. Siemens has identified this as affecting the GNU/Linux subsystem of their SIMATIC S7-1500 TM MFP industrial control product.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations running Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled, particularly those using XDP for high-performance packet processing. Network engineers and security teams managing industrial control systems with Linux-based network acceleration features should prioritize monitoring and access controls until patches are available.
Technical summary
The vulnerability exists in the Linux kernel's cpumap (CPU map) subsystem, which is used for redirecting XDP frames to specific CPUs for processing. When an XDP program is executed on a cpumap entry, the xdp_rxq_info structure within the xdp_buff was not initialized, causing the xdp_md->rx_queue_index field to contain stack garbage. This affects XDP programs that query the receive queue index for packet processing decisions or telemetry. The vulnerability is local in nature (requires ability to attach XDP programs to cpumap) and has been assigned a CVSS 3.1 score of 5.5 (MEDIUM) with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H vector, indicating local attack vector with low attack complexity, low privileges required, and high availability impact.
Defensive priority
medium
Recommended defensive actions
- Apply kernel updates from Siemens when available for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem
- Limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources on affected systems
- Monitor for anomalous XDP program behavior or unexpected rx_queue_index values in network telemetry
- Review XDP programs for logic that depends on rx_queue_index values and implement additional validation where possible
Evidence notes
The vulnerability description is sourced from the Linux kernel commit message and CISA CSAF advisory ICSA-24-102-01. The fix involves zero-initializing the xdp_rxq_info structure in the cpumap XDP execution path. Siemens has confirmed impact to their SIMATIC S7-1500 TM MFP product's GNU/Linux subsystem.
Official resources
-
CVE-2024-27431 CVE record
CVE.org
-
CVE-2024-27431 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09