CVE-2024-38662 Siemens CVE debrief

Who should care

Industrial control system operators using Siemens SIMATIC S7-1500 TM MFP with the GNU/Linux subsystem enabled; Linux kernel security teams; BPF subsystem maintainers; organizations running containerized or sandboxed workloads with BPF capabilities on affected hardware.

Technical summary

The Linux kernel BPF subsystem's verifier did not properly restrict delete operations on sockmap and sockhash map types. While update operations were already restricted to specific BPF program types, delete operations were not similarly constrained. This allowed BPF programs attached to tracepoints—program types not intended to manipulate these maps—to perform map_delete operations, causing locking rule violations. The fix extends the existing BPF_PROG_TYPE check to cover both update and delete operations, ensuring only appropriately privileged BPF program types can modify sockmap/sockhash contents.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Build and run applications only from trusted sources
• Monitor for anomalous BPF program loading on affected systems
• Apply vendor patches when available per Siemens security advisory SSA-265688

Evidence notes

The vulnerability description indicates this was discovered through syzkaller fuzzing reports showing BPF tracepoint programs could trigger locking violations via map_delete on sockmap/sockhash. The fix extends existing verifier program-type restrictions to cover delete operations. Siemens has confirmed this affects the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP industrial controllers.

Official resources