CVE-2024-36288 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family switches, SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices, and RUGGEDCOM RST2428P switches running SINEC OS versions prior to 3.1. Critical infrastructure operators, manufacturing facilities, and utility providers utilizing these products for industrial network infrastructure should prioritize patching.

Technical summary

The vulnerability resides in gss_free_in_token_pages() within the Linux kernel's SUNRPC GSS-API implementation. The function iterates over in_token->pages[] expecting NULL termination, but the array is not NULL-terminated, causing out-of-bounds memory reads. This triggers KASAN (Kernel Address Sanitizer) warnings for wild-memory-access in the range 0x04a2013400000008-0x04a201340000000f. The flaw requires local access with low privileges to exploit, resulting in system availability impact through potential denial of service.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided updates to SINEC OS V3.1 or later for affected SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P devices
• Verify current firmware version through Siemens Industry Online Support portal
• Follow CISA ICS recommended practices for defense-in-depth strategies
• Monitor Siemens ProductCERT advisories for additional security updates
• Restrict local access to industrial control system networks to authorized personnel only

Evidence notes

Vulnerability description and remediation details sourced from CISA CSAF advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. CVSS vector confirms local attack vector with availability impact. Vendor fix specifies update to V3.1 or later.

Official resources