PatchSiren cyber security CVE debrief

CVE-2024-35967 Siemens CVE debrief

A vulnerability in the Linux kernel's Bluetooth SCO (Synchronous Connection Oriented) socket implementation allows local attackers to cause denial of service conditions. The flaw stems from insufficient validation of user-supplied input passed to the setsockopt system call for SCO sockets. A local attacker with low privileges can exploit this to trigger a denial of service condition on affected systems. The vulnerability has been assigned a CVSS 3.1 score of 5.5 (MEDIUM severity) with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact. This CVE was published on April 9, 2024, and was subsequently included in CISA's ICS advisory ICSA-24-102-01 for Siemens SIMATIC S7-1500 TM MFP industrial control systems, which incorporate a GNU/Linux subsystem affected by this kernel-level vulnerability.

Vendor: Siemens
Product: SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2026-05-14
Advisory published: 2024-04-09
Advisory updated: 2026-05-14

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled should prioritize assessment. System administrators responsible for industrial control system security, OT security teams, and organizations with Bluetooth-enabled industrial devices should evaluate exposure. The local attack vector requires attacker access to the target system, making this particularly relevant for multi-user industrial environments or systems with potential insider threats.

Technical summary

The vulnerability exists in the Bluetooth SCO (Synchronous Connection Oriented) socket implementation within the Linux kernel. Specifically, the setsockopt system call handler for SCO sockets fails to properly validate user-supplied input, allowing a local attacker with low privileges to trigger denial of service conditions. SCO sockets are used for synchronous voice/data transport over Bluetooth, commonly utilized in headset and audio applications. The lack of input validation in the setsockopt path can lead to kernel instability or crashes when malformed or out-of-range values are provided. This represents a classic input validation weakness (CWE-20) in a kernel networking subsystem.

Defensive priority

medium

Recommended defensive actions

Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
Implement application whitelisting to ensure only trusted applications are built and executed on the GNU/Linux subsystem
Monitor for anomalous Bluetooth-related system calls or SCO socket activity on affected systems
Apply kernel updates from Siemens when available, as the advisory currently indicates no fix is available
Segment affected industrial control systems from untrusted networks to limit local attack vectors
Review and implement CISA's ICS recommended practices for defense-in-depth strategies

Evidence notes

The vulnerability description is sourced from the CVE record and CISA CSAF advisory ICSA-24-102-01. The affected product identification (Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem) is derived from the CSAF product tree with high confidence. CVSS scoring details are taken from the source advisory references. The vulnerability affects the Bluetooth SCO socket implementation in the Linux kernel, specifically the setsockopt handling.

Official resources

This vulnerability was disclosed through the CVE program and subsequently incorporated into CISA's Industrial Control Systems advisory program. The issue was originally identified in the upstream Linux kernel Bluetooth subsystem and affects