CVE-2024-42070 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. System administrators managing nftables configurations in embedded Linux environments. OT security teams responsible for patch management in industrial control system networks. Organizations subject to NERC CIP or IEC 62443 compliance requirements for critical infrastructure.

Technical summary

The vulnerability exists in the Linux kernel's netfilter nf_tables subsystem where register store validation for NFT_DATA_VALUE is performed conditionally rather than consistently. The datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT, but the validation logic fails to properly infer register types from set datatypes. This allows a pointer to chain objects to leak through registers when NFT_DATA_VALUE is stored without full validation. The fix implements a helper function to infer register type from set datatype, removing the conditional check and ensuring consistent validation. Affected Siemens products use SINEC OS with vulnerable kernel versions prior to V3.1.

Defensive priority

medium

Recommended defensive actions

• Update affected Siemens devices to SINEC OS V3.1 or later version
• Review and apply vendor security advisory SSA-613116 guidance
• Implement network segmentation for industrial control systems per CISA recommended practices
• Monitor for anomalous nf_tables behavior or unexpected register state changes
• Validate nftables rule configurations for proper data type handling

Evidence notes

Vulnerability confirmed in Siemens SINEC OS affecting RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. Root cause is incomplete validation of NFT_DATA_VALUE in nf_tables register store operations. Vendor fix available in V3.1 or later.

Official resources