CVE-2024-42302 Siemens CVE debrief

Who should care

Industrial control system operators using Siemens SIMATIC S7-1500 TM MFP with GNU/Linux subsystem, Linux kernel maintainers for v5.10+ stable branches, and organizations running PCI Express hot-plug capable systems with DPC enabled.

Technical summary

The vulnerability stems from a missing reference count in pci_bridge_wait_for_secondary_bus() when called from dpc_handler(). The function polls PCI configuration space of the first child device on a secondary bus without holding a reference, creating a race condition with concurrent hot-removal. When the child device is freed during hot-removal while dpc_handler() still attempts to access its struct pci_dev, a use-after-free occurs resulting in a kernel page fault. The fix requires acquiring a reference to the child device before polling and releasing it afterward. Affected code path: dpc_handler() → dpc_reset_link() → pci_bridge_wait_for_secondary_bus() → pci_dev_wait() → pci_bus_read_config_dword().

Defensive priority

HIGH

Recommended defensive actions

• Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
• Only build and run applications from trusted sources
• Monitor for kernel oops messages related to pci_bus_read_config_dword or dpc_handler indicating potential exploitation attempts
• Apply vendor patches when available for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem

Evidence notes

The vulnerability was resolved in the Linux kernel with a fix to acquire the missing reference on the child device in pci_bridge_wait_for_secondary_bus(). The issue was reported by Keith and affects kernels from v5.10+ due to backporting of commit 53b54ad074de. Siemens has confirmed this affects the SIMATIC S7-1500 TM MFP GNU/Linux subsystem with no patch currently available.

Official resources