PatchSiren cyber security CVE debrief
CVE-2024-35896 Siemens CVE debrief
This CVE addresses a vulnerability in the Linux kernel's netfilter subsystem where user input validation for expected length was insufficient. The issue was exposed by BPF (Berkeley Packet Filter) changes after commit 20f2505fb436, which modified cgroup setsockopt behavior to avoid kzalloc. The vulnerability occurs because the setsockopt() @optlen argument was not properly validated before copying data, potentially leading to out-of-bounds read conditions. Siemens has identified this as affecting the GNU/Linux subsystem within their SIMATIC S7-1500 TM MFP industrial control product. The vulnerability has a HIGH severity CVSS score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), indicating local attack vector with low attack complexity, low privileges required, no user interaction, and high impacts to confidentiality and availability. No patch is currently available from Siemens; mitigations focus on restricting access to trusted personnel and ensuring only trusted applications are executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security engineers, and asset owners deploying Siemens SIMATIC S7-1500 TM MFP with activated GNU/Linux subsystem. Organizations in manufacturing, process control, and critical infrastructure sectors where this platform is deployed should prioritize access restrictions until patches become available.
Technical summary
The vulnerability exists in the Linux kernel netfilter subsystem's handling of setsockopt operations. Following BPF optimizations in commit 20f2505fb436 that removed kzalloc usage from cgroup setsockopt paths, insufficient validation of the @optlen parameter before data copying operations exposed pre-existing bugs. This can result in out-of-bounds memory reads when user-controlled length values are processed without proper bounds checking. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) reflects local exploitation with significant confidentiality and availability impacts but no integrity impact. Affected product is the GNU/Linux subsystem embedded within Siemens SIMATIC S7-1500 TM MFP industrial controllers, which provides extended computing capabilities beyond standard PLC functions.
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
- Implement application whitelisting to ensure only trusted, verified applications are built and executed on the GNU/Linux subsystem
- Monitor for anomalous setsockopt syscall patterns that may indicate exploitation attempts
- Apply defense-in-depth strategies per CISA ICS recommended practices for industrial control systems
- Subscribe to Siemens ProductCERT security advisories for patch availability notifications
- Review and implement CISA targeted cyber intrusion detection and mitigation strategies for industrial environments
Evidence notes
CVE published 2024-04-09 per official CVE record. CISA ICS advisory ICSA-24-102-01 published same date. Siemens advisory SSA-265688 cross-referenced. Advisory has undergone 9 revision updates through 2025-09-09, with most recent additions in September 2025 expanding CVE coverage significantly.
Official resources
-
CVE-2024-35896 CVE record
CVE.org
-
CVE-2024-35896 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09