CVE-2024-38612 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices running SINEC OS versions prior to 3.1. System administrators responsible for industrial control system (ICS) security and network infrastructure in critical infrastructure sectors should prioritize patching.

Technical summary

The vulnerability resides in the IPv6 Segment Routing (SR) subsystem of the Linux kernel. Specifically, in the `seg6_init()` function's error handling path when the kernel is compiled without `CONFIG_IPV6_SEG6_LWTUNNEL`. If the `seg6_hmac_init()` function fails during initialization, the code fails to invoke `genl_unregister_family()` to properly unregister the generic netlink family that was previously registered. This incomplete cleanup can lead to resource leaks or inconsistent kernel state. The issue was introduced in commit 46738b1317e1 and persists despite partial fixes in commit 5559cea2d5aa. The vulnerability is classified under CWE-459 (Incomplete Cleanup).

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided updates to SINEC OS version 3.1 or later for affected Siemens RUGGEDCOM and SCALANCE products
• Review network segmentation for industrial control systems to limit exposure of affected devices
• Monitor vendor security advisories for additional affected product families
• Implement defense-in-depth strategies for industrial control systems per CISA guidance

Evidence notes

The vulnerability description is sourced from CISA ICS advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. The issue affects the Linux kernel IPv6 Segment Routing initialization code path when CONFIG_IPV6_SEG6_LWTUNNEL is not defined. Siemens has confirmed affected products and provided remediation guidance.

Official resources