CVE-2024-35897 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled, particularly in industrial control and automation environments where system availability is critical. System administrators responsible for securing OT/ICS infrastructure should prioritize access controls until a patch becomes available.

Technical summary

The vulnerability exists in the Linux kernel's netfilter nf_tables subsystem where improper handling of deferred operations can lead to a use-after-free or dangling hook scenario. When a basechain is deleted while a table flag update (such as the dormant flag) is pending, the hook may remain registered in the core after the chain has been freed. This inconsistency can cause system instability or denial of service. The issue was fixed by discarding table flag updates when a basechain deletion is pending, ensuring proper synchronization between hook registration state and chain lifecycle.

Defensive priority

medium

Recommended defensive actions

• Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
• Only build and run applications from trusted sources
• Monitor for vendor security updates as no patch is currently available
• Apply defense-in-depth strategies for industrial control systems per CISA guidance

Evidence notes

The vulnerability was resolved in the Linux kernel by discarding table flag updates when a basechain deletion is pending. Siemens has identified this vulnerability as affecting the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP industrial control system. The CVSS 3.1 vector indicates local attack vector with low attack complexity, requiring low privileges and no user interaction, resulting in high availability impact.

Official resources