CVE-2024-36899 Siemens CVE debrief

Who should care

Industrial automation engineers, OT security teams, critical infrastructure operators using Siemens SIMATIC S7-1500 TM MFP controllers, and organizations with embedded Linux systems utilizing gpiolib character devices

Technical summary

The vulnerability exists in drivers/gpio/gpiolib-cdev.c where gpio_chrdev_release() calls bitmap_free() on watched_lines, but lineinfo_changed_nb notifier unregistration may fail when blocked on a write rwsem. Concurrently, a GPIO line release holds the read rwsem, creating a race where watched_lines is accessed after free. This is CWE-416 (Use After Free) affecting kernel versions prior to the fix. The GNU/Linux subsystem on SIMATIC S7-1500 TM MFP exposes this attack surface through its GPIO character device interface.

Defensive priority

HIGH

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Execute only applications from trusted sources on affected systems
• Monitor for anomalous process behavior or unexpected GPIO subsystem activity
• Apply vendor patches when released by Siemens
• Review and implement CISA ICS recommended practices for defense-in-depth
• Segment industrial control networks to limit lateral movement opportunities

Evidence notes

Vulnerability description and affected product confirmed through CISA ICS advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. CVSS vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H indicates local attack vector with high complexity but complete impact to confidentiality, integrity, and availability. The use-after-free specifically involves watched_lines bitmap accessed after gpio_chrdev_release() in gpiolib cdev lineinfo_changed_notify.

Official resources