PatchSiren cyber security CVE debrief
CVE-2024-42232 Siemens CVE debrief
CVE-2024-42232 is a race condition vulnerability in libceph, the Ceph client library used within Siemens industrial networking products. The flaw exists in how delayed work is handled during monitor client shutdown (ceph_monc_stop()), creating a window where mon_fault() or finish_hunting() can requeue delayed work after cancel_delayed_work_sync() has already executed. This race can lead to use-after-free conditions on the monitor client structure (monc) and its dependent objects, particularly monc->auth and monc->monmap, which may be rapidly reused. The vulnerability stems from incomplete handling of hunting interval logic during session closure. Siemens has assessed the impact as 'Misinformed' for affected products, indicating the vulnerability's applicability or severity may differ from initial assessment. The issue was originally addressed in an incomplete libceph patch and represents a residual race condition that was missed in prior remediation efforts.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens SCALANCE or RUGGEDCOM industrial networking infrastructure with Ceph storage integration; OT security teams managing third-party component risk in industrial environments; infrastructure operators relying on libceph-based distributed storage connectivity in control system networks
Technical summary
The vulnerability resides in libceph's monitor client shutdown path. During ceph_monc_stop(), cancel_delayed_work_sync() is called to terminate pending delayed work. However, __close_session() deliberately avoids manipulating delayed work to preserve hunting interval logic. This creates a race window where mon_fault() or finish_hunting() can requeue delayed work after cancellation but before full teardown. The resulting use-after-free affects monc and its auth/monmap members. The flaw represents an incomplete fix from prior libceph patches addressing similar race conditions in mon_fault() behavior.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for definitive affected product configurations and patch availability
- Verify SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family deployment configuration against Siemens guidance
- Assess RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family implementations for Ceph/libceph integration
- Apply vendor-provided firmware updates when available per Siemens release schedule
- Implement network segmentation for affected industrial control systems to limit exposure
- Monitor CISA ICS advisories for additional guidance on this and related third-party component vulnerabilities
Evidence notes
Vulnerability description derived from CISA CSAF advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557. Race condition specifically involves delayed_work() cancellation timing against mon_fault() and finish_hunting() requeue operations. Use-after-free targets include monc->auth and monc->monmap structures. Siemens threat assessment categorizes impact as 'Misinformed' for affected product configurations.
Official resources
-
CVE-2024-42232 CVE record
CVE.org
-
CVE-2024-42232 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12