PatchSiren cyber security CVE debrief
CVE-2024-36939 Siemens CVE debrief
A vulnerability in the Linux kernel's NFS (Network File System) implementation could allow a local attacker to trigger a denial of service condition. The issue stems from improper error handling in nfs_net_init(), where the return value of rpc_proc_register() was ignored. When rpc_proc_register() fails but nfs_net_init() succeeds, subsequent destruction of the network namespace causes nfs_net_exit() to call remove_proc_entry() on a non-existent proc directory, triggering a kernel warning and potential system instability. This vulnerability was discovered by syzkaller and affects systems with per-netns procfs exposure introduced in commit d47151b79e32. The flaw has existed since at least Linux 2.6.12-rc2 but became more visible with recent changes to NFS procfs handling.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
System administrators running Linux-based industrial control systems, particularly Siemens SIMATIC S7-1500 TM MFP deployments with the GNU/Linux subsystem enabled. Container platform operators using network namespaces for isolation. Security teams monitoring for kernel-level vulnerabilities that could destabilize critical infrastructure systems.
Technical summary
The vulnerability exists in fs/nfs/inode.c in the nfs_net_init() function. When rpc_proc_register() fails to create the /proc/net/sunrpc/nfs directory in a network namespace, the error was not propagated, allowing nfs_net_init() to return success. During network namespace destruction, nfs_net_exit() unconditionally calls rpc_proc_unregister(), which invokes remove_proc_entry() for a directory that was never created. This triggers a WARNING at fs/proc/generic.c:711. The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact. The vulnerability is rated MEDIUM severity with a score of 5.5.
Defensive priority
medium
Recommended defensive actions
- Apply kernel updates from your Linux distribution that include the fix for CVE-2024-36939
- For Siemens SIMATIC S7-1500 TM MFP systems, limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources on affected systems
- Monitor for kernel warnings related to remove_proc_entry in system logs as potential indicators of exploitation attempts
- Review network namespace creation and destruction patterns in containerized or multi-tenant environments where this vulnerability could be triggered
Evidence notes
The vulnerability was reported by syzkaller during testing of immature netns destruction. The kernel warning manifests at fs/proc/generic.c:711 in remove_proc_entry(). The root cause is that rpc_proc_register() errors were historically ignored in init_nfs_fs(), and the conversion to per-netns procfs in commit d47151b79e32 exposed this deficiency. The fix properly propagates rpc_proc_register() errors in nfs_net_init() to prevent the imbalanced proc entry removal.
Official resources
-
CVE-2024-36939 CVE record
CVE.org
-
CVE-2024-36939 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09