CVE-2024-35910 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP devices with the GNU/Linux subsystem enabled, particularly in industrial control system (ICS/OT) environments where network namespace manipulation or kernel socket usage occurs. System administrators responsible for Linux kernel security in embedded industrial devices should prioritize access controls until patches are available.

Technical summary

The vulnerability stems from asynchronous timer termination in the Linux kernel's TCP implementation. The inet_csk_clear_xmit_timers() function uses sk_stop_timer() (del_timer()) which does not wait for running timers to complete. For kernel sockets, which lack network namespace references, this creates a window where the netns can be dismantled while timers are still executing. The fix introduces inet_csk_clear_xmit_timers_sync() using sk_stop_timer_sync() to block until timer completion, ensuring proper synchronization during kernel socket teardown in netns exit handlers.

Defensive priority

medium

Recommended defensive actions

• Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
• Only build and run applications from trusted sources
• Monitor for vendor security updates from Siemens for patch availability

Evidence notes

The vulnerability description indicates this was discovered through syzbot reports and reproduced by Josef Bacik. The fix was implemented in the Linux kernel TCP subsystem. Siemens has identified this as affecting the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP devices. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H) indicates local attack vector, high attack complexity, low privileges required, no user interaction, with impacts to confidentiality, integrity, and high availability impact.

Official resources