CVE-2024-40945 Siemens CVE debrief

Who should care

Organizations running Linux-based Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family) should verify this assessment does not affect their risk posture. OT security teams monitoring CISA ICS advisories and kernel maintainers tracking IOMMU SVA subsystem correctness should track this for completeness.

Technical summary

The Linux kernel function iommu_sva_bind_device() in the IOMMU subsystem incorrectly returns NULL in certain error conditions instead of an ERR_PTR error pointer. Drivers such as idxd and uacce check return values using IS_ERR() only, which would not catch NULL returns, potentially leading to NULL pointer dereference. However, the function only returns NULL when CONFIG_IOMMU_SVA is disabled, limiting practical exploitability. Siemens has assessed this vulnerability as 'Misinformed' impact for affected industrial networking products including RUGGEDCOM RST2428P and SCALANCE families, indicating no actual security risk to these systems.

Defensive priority

low

Recommended defensive actions

• Verify kernel configuration on Linux-based Siemens devices to confirm CONFIG_IOMMU_SVA is enabled
• Apply vendor-provided firmware updates when available per Siemens SSA-355557
• Monitor CISA ICS advisories for additional guidance on affected industrial control systems
• Implement network segmentation for industrial control systems per CISA recommended practices
• Review defense-in-depth strategies for industrial control environments

Evidence notes

Siemens ProductCERT SSA-355557 via CISA CSAF advisory ICSA-25-226-07. Siemens threat assessment categorizes impact as 'Misinformed' for affected products. CVE description confirms issue only manifests when kernel not configured with CONFIG_IOMMU_SVA.

Official resources