PatchSiren cyber security CVE debrief
CVE-2024-35893 Siemens CVE debrief
CVE-2024-35893 is a kernel information leak vulnerability in the Linux kernel's traffic control subsystem, specifically within the `act_skbmod` module. The flaw exists in `tcf_skbmod_dump()`, which copies four bytes of uninitialized kernel stack memory to user space due to a padding hole in `struct tc_skbmod`. This vulnerability was discovered by syzbot and has been resolved in the upstream Linux kernel by clearing the structure before populating its fields. Siemens has identified this vulnerability as affecting the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial control system. The vulnerability is classified as MEDIUM severity with a CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating local attack vector with low attack complexity and privileges required, resulting in high availability impact. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled should prioritize this vulnerability. Industrial control system operators, OT security teams, and asset owners in manufacturing, process control, and critical infrastructure sectors should assess exposure. System integrators and maintenance providers supporting these deployments should communicate mitigation guidance to customers. Security teams responsible for Linux kernel hardening in embedded and industrial environments should track this class of information leak vulnerabilities.
Technical summary
The vulnerability resides in the `tcf_skbmod_dump()` function within the Linux kernel's traffic control action module for SKB modification (act_skbmod). The `struct tc_skbmod` contains a four-byte padding hole due to structure alignment. When this structure is allocated on the kernel stack and populated for dumping to user space via netlink, the uninitialized padding bytes are copied along with valid data, leaking kernel stack memory to user space. The fix involves zeroing the structure before field assignment. This is a classic information leak vulnerability (CWE-908) that could potentially expose kernel pointers or other sensitive data, and in certain contexts may contribute to denial of service conditions.
Defensive priority
medium
Recommended defensive actions
- Limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for vendor security updates as no patch is currently available
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Review network segmentation to limit exposure of affected systems
Evidence notes
The vulnerability description is sourced from the Linux kernel commit message and CISA CSAF advisory ICSA-24-102-01. The affected product identification comes from the CSAF product tree with high confidence. Siemens has confirmed the SIMATIC S7-1500 TM MFP GNU/Linux subsystem as affected. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local exploitation with availability impact, consistent with information leak vulnerabilities that can lead to system instability or denial of service conditions.
Official resources
-
CVE-2024-35893 CVE record
CVE.org
-
CVE-2024-35893 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09