PatchSiren cyber security CVE debrief

CVE-2024-35884 Siemens CVE debrief

## Summary CVE-2024-35884 is a vulnerability in the Linux kernel's UDP Generic Receive Offload (GRO) handling that can cause kernel crashes or packet corruption when UDP packets are incorrectly GRO-aggregated before entering network tunnels. The issue affects systems with `rx-udp-gro-forwarding` or `rx-gro-list` enabled, particularly when tunneled packets (e.g., GENEVE) have endpoints in different network namespaces. ## Technical Details The vulnerability stems from insufficient validation in `udp_gro_receive`. When UDP packets are forwarded with GRO enabled, the kernel attempts to match packets to sockets via `udp4/6_gro_lookup_skb`, but this lookup is restricted to the current network namespace. For tunneled packets where the endpoint resides in a different namespace, this check fails to prevent inappropriate GRO aggregation. The problematic flow occurs as follows: 1. A tunneled packet (e.g., GENEVE) arrives and is incorrectly GRO-aggregated at the UDP layer 2. The packet proceeds through the tunnel receive path where the tunnel header is pulled 3. The `gso_size` field retains values based on the original packet structure, now incorrect after header removal 4. The `frag_list` skbs are not adjusted for the tunnel header offset 5. When `skb_fragment` processes these malformed skbs, undefined behavior occurs This can manifest as corrupted network packets or kernel crashes, including a `BUG_ON` trigger in `skb_segment` at `net/core/skbuff.c:4408`. ## Affected Product - **Vendor:** Siemens - **Product:** SIMATIC S7-1500 TM MFP - GNU/Linux subsystem The Siemens product incorporates the vulnerable Linux kernel component. ## Impact - **CVSS 3.1 Score:** 5.5 (MEDIUM) - **Vector:** `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` - **Impact:** Local attackers with low privileges can cause denial of service (kernel crash/panic) The vulnerability results in availability impact only—no confidentiality or integrity effects. ## Remediation Status **No patch is currently available** for the affected Siemens product. The upstream Linux kernel fix resolves the issue by extending validation in `udp_unexpected_gso` to segment GSO packets lacking `SKB_GSO_UDP_TUNNEL`/`

Vendor: Siemens
Product: SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2026-05-14
Advisory published: 2024-04-09
Advisory updated: 2026-05-14

Who should care

OT security teams operating Siemens SIMATIC S7-1500 TM MFP systems, network administrators managing tunneled UDP traffic with GRO enabled, and Linux kernel maintainers handling network stack hardening

Technical summary

The Linux kernel's UDP GRO implementation fails to properly validate packets before tunnel entry when socket lookup spans network namespaces. GSO packets without tunnel flags must be segmented before tunnel processing to prevent skb corruption.

Defensive priority

medium

Recommended defensive actions

Limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
Only build and run applications from trusted sources
Monitor for kernel crash/panic events in system logs
Apply vendor patches when released by Siemens
Consider disabling rx-udp-gro-forwarding if tunnel performance is not critical

Evidence notes

The vulnerability description and remediation guidance are derived from CISA CSAF advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. The technical analysis of the GRO handling issue is based on the kernel commit description provided in the CVE record. The CVSS vector and score are taken from the official CVE.org record.

Official resources

2024-04-09