PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-35898 Siemens CVE debrief

A race condition vulnerability exists in the Linux kernel's netfilter nf_tables subsystem, specifically within the `__nft_flowtable_type_get()` function. The issue arises from concurrent access between `nft_unregister_flowtable_type()` (called during `nf_flow_inet_module_exit()`) and `__nft_flowtable_type_get()` (called during `nf_tables_newflowtable()`). Without proper synchronization, iteration over the `nf_tables_flowtables` list could result in a data race on list entries. The resolution implements RCU (Read-Copy-Update) protection by using `list_for_each_entry_rcu()` for iteration and `rcu_read_lock()` in the caller `nft_flowtable_type_get()` to safeguard the type query process. This vulnerability affects Siemens SIMATIC S7-1500 TM MFP devices through their GNU/Linux subsystem. The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack vector, low attack complexity, low privileges required, and high availability impact. No confidentiality or integrity impacts are associated with this flaw. CISA published this advisory on April 9, 2024, with subsequent updates through September 2025 adding related CVEs to the same advisory track. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Siemens
Product
SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-09
Original CVE updated
2026-05-14
Advisory published
2024-04-09
Advisory updated
2026-05-14

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with enabled GNU/Linux subsystems; OT security teams managing Linux-based embedded controllers; infrastructure operators relying on netfilter/nf_tables for network flow offloading in industrial environments

Technical summary

The vulnerability exists in the Linux kernel's netfilter framework, specifically the nf_tables flowtable type registration mechanism. The `__nft_flowtable_type_get()` function iterates over the `nf_tables_flowtables` list without proper read-side synchronization, creating a race window with concurrent `nft_unregister_flowtable_type()` operations during module exit. The fix introduces RCU read-side critical sections: `list_for_each_entry_rcu()` replaces the unprotected iterator, and `rcu_read_lock()`/`rcu_read_unlock()` brackets the lookup in `nft_flowtable_type_get()`. This prevents use-after-free or iterator corruption scenarios when flowtable types are unregistered while being queried. The attack requires local access with low privileges and can result in denial of service (availability impact) through kernel instability or crash.

Defensive priority

medium

Recommended defensive actions

  • Apply vendor-provided kernel updates for Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem when available, as the advisory currently indicates no fix is available
  • Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only per vendor mitigation guidance
  • Implement application whitelisting to ensure only trusted applications are built and executed on affected systems
  • Monitor CISA ICS advisories and Siemens ProductCERT security advisories for future patch availability
  • Review and apply CISA ICS recommended practices for defense-in-depth strategies in industrial control environments

Evidence notes

Vulnerability description and remediation guidance derived from CISA CSAF advisory ICSA-24-102-01. Vendor attribution to Siemens confirmed through CSAF product tree data. CVSS vector and score sourced from advisory references. Timeline information based on CVE published date (2024-04-09) and subsequent advisory revisions through 2025-09-09. No KEV entry exists for this CVE.

Official resources

2024-04-09