CVE-2024-36008 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled; OT security teams managing Linux-based embedded systems in industrial environments; kernel maintainers and Linux distribution security teams tracking upstream fixes

Technical summary

The vulnerability is a NULL pointer dereference in the Linux kernel's IPv4 routing implementation. The ip_route_use_hint() function in net/ipv4/route.c fails to check whether the idev (in-device structure) is NULL before dereferencing it. This leads to a crash in fib_validate_source() when processing certain network routing hints. The flaw was found through automated fuzzing (syzbot) and exists in current kernel versions. On affected Siemens SIMATIC S7-1500 TM MFP devices, this could allow an authenticated local user to cause a denial of service (system crash) through the GNU/Linux subsystem.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Only build and execute applications from trusted sources
• Monitor for kernel crashes or unexpected reboots on affected devices
• Apply vendor patches when released per Siemens security advisory SSA-265688
• Segment affected industrial control systems from untrusted networks

Evidence notes

The vulnerability description indicates a NULL pointer dereference in the Linux kernel's IPv4 routing code, specifically in ip_route_use_hint() leading to fib_validate_source(). The syzbot fuzzer triggered this crash. Siemens has confirmed this affects their SIMATIC S7-1500 TM MFP product's GNU/Linux subsystem. The CVSS 3.1 vector indicates local attack vector with low attack complexity, requiring low privileges and resulting in high availability impact.

Official resources