PatchSiren cyber security CVE debrief
CVE-2024-36017 Siemens CVE debrief
CVE-2024-36017 is a Linux kernel vulnerability in the rtnetlink subsystem affecting nested IFLA_VF_VLAN_LIST attribute validation. The flaw exists because the size validation in do_setvfinfo checks against NLA_HDRLEN (4 bytes) rather than sizeof(struct ifla_vf_vlan_info) (14 bytes). This insufficient validation allows a too-small attribute to be cast to struct ifla_vf_vlan_info, potentially causing an out-of-bounds read when accessing the saved entry in ivvl. The vulnerability was resolved in the Linux kernel with corrected validation logic. Siemens has identified this as affecting certain industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The CVSS 3.1 vector indicates a local attack vector with low attack complexity, requiring low privileges and no user interaction, resulting in high availability impact. CISA published advisory ICSA-25-226-15 on August 12, 2025, with subsequent revisions through February 25, 2026, to correct affected product listings and incorporate updates from Siemens ProductCERT advisory SSA-613116.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 switches and RUGGEDCOM RST2428P devices. System administrators managing Linux-based industrial control systems with SR-IOV virtual function configurations. Security teams responsible for OT/ICS network infrastructure and kernel-level vulnerability management.
Technical summary
The vulnerability resides in the Linux kernel's rtnetlink do_setvfinfo function, which handles virtual function (VF) configuration via netlink messages. When processing nested IFLA_VF_VLAN_LIST attributes, the code assumes each nested attribute contains a complete struct ifla_vf_vlan_info (14 bytes). However, the validation only checks for NLA_HDRLEN (4 bytes), the minimum netlink attribute header size. This gap allows malformed messages with attributes between 4 and 13 bytes to pass validation but fail when cast and accessed as the larger structure, resulting in out-of-bounds memory reads. The fix corrects the minimum size validation to match the actual structure size.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.1 or later for affected Siemens SCALANCE and RUGGEDCOM devices
- Review network segmentation to limit exposure of industrial control system devices
- Monitor for anomalous network configuration requests to rtnetlink interfaces
- Implement defense-in-depth strategies per CISA ICS recommended practices
- Verify that no unsupported SINEC OS versions remain deployed in the environment
Evidence notes
The vulnerability description is sourced from the Linux kernel commit message describing the rtnetlink fix. Siemens ProductCERT advisory SSA-613116 and CISA ICSA-25-226-15 provide product-specific impact assessment. The CVSS score and vector are derived from official CISA CSAF data. Timeline information reflects the CVE publication date of August 12, 2025, and subsequent advisory modifications through February 25, 2026.
Official resources
-
CVE-2024-36017 CVE record
CVE.org
-
CVE-2024-36017 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12