PatchSiren cyber security CVE debrief
CVE-2024-44935 Siemens CVE debrief
CVE-2024-44935 is a null pointer dereference vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) subsystem, specifically within the `reuseport_add_sock()` function. The flaw occurs when a race condition between socket creation and closure leads to accessing a cleared `sk_reuseport_cb` pointer. An attacker with local access could potentially trigger this condition to cause a denial of service through system instability or crash. The vulnerability stems from improper synchronization when handling SO_REUSEPORT socket options during concurrent listener operations.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
System administrators managing Siemens industrial networking equipment including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P switches running SINEC OS. Security teams in OT/ICS environments should prioritize monitoring given the critical infrastructure deployment of these devices. Kernel developers and maintainers of SCTP-enabled systems should review socket reuseport handling for similar race conditions.
Technical summary
The vulnerability exists in the SCTP protocol implementation within the Linux kernel networking stack. The `reuseport_add_sock()` function, which handles socket binding with the SO_REUSEPORT option, contains a race condition where the `sk_reuseport_cb` member of a socket structure (`sk2`) may be accessed after being cleared by a concurrent `reuseport_detach_sock()` call during socket closure. The reproduction scenario involves: (1) creating a listener socket with SO_REUSEPORT enabled, (2) initiating a second listener on the same port, and (3) concurrently closing the first listener. The second `listen()` invocation passes the first listener as `sk2` to `reuseport_add_sock()`, where the unexpected NULL `sk_reuseport_cb` triggers the dereference. This represents a classic TOCTOU (Time-of-Check to Time-of-Use) synchronization issue in kernel socket state management.
Defensive priority
medium
Recommended defensive actions
- Apply kernel patches addressing SCTP reuseport race condition when available from Siemens ProductCERT
- Monitor Siemens SSA-355557 advisory for updated affected product configurations and patch releases
- Implement network segmentation for affected SCALANCE and RUGGEDCOM devices to limit local attack surface
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
- Validate SO_REUSEPORT socket usage in custom applications on affected systems
- Schedule maintenance windows for firmware updates on critical industrial control network infrastructure
Evidence notes
The vulnerability description indicates a race condition in SCTP socket handling where `sk2->sk_reuseport_cb` can be cleared by `reuseport_detach_sock()` during a concurrent close operation while `reuseport_add_sock()` attempts to access it. The CVSS v3.1 score of 5.5 (MEDIUM) reflects local attack vector with low attack complexity. The source advisory (ICSA-25-226-07) from CISA's CSAF repository, republished based on Siemens ProductCERT SSA-355557, documents this as affecting Siemens industrial networking products running SINEC OS. The advisory's threat assessment categorizes the impact as 'Misinformed' for affected product IDs, suggesting potential documentation or assessment complexities.
Official resources
-
CVE-2024-44935 CVE record
CVE.org
-
CVE-2024-44935 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12