PatchSiren cyber security CVE debrief
CVE-2024-47685 Siemens CVE debrief
A critical vulnerability in the Linux kernel's netfilter IPv6 rejection handling allows uninitialized memory to be transmitted in TCP reset packets. The flaw resides in nf_reject_ip6_tcphdr_put(), which failed to zero-initialize the TCP header before transmission, potentially leaking kernel memory contents through the four reserved TCP header bits (th->res1). This was discovered by syzbot and reported via KMSAN (Kernel Memory Sanitizer). Siemens has confirmed this vulnerability affects multiple industrial networking products running SINEC OS, including RUGGEDCOM RST2428P and SCALANCE switch families. The issue has been resolved in the upstream Linux kernel by adopting skb_put_zero() to clear the entire TCP header, matching the implementation in the IPv4 equivalent function nf_reject_ip_tcphdr_put().
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking infrastructure including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families. Security teams responsible for OT/ICS environments using SINEC OS-based devices. Network administrators managing IPv6-enabled industrial networks with nftables or netfilter-based rejection policies. Kernel maintainers and developers working on netfilter IPv6 components.
Technical summary
The vulnerability exists in the Linux kernel's netfilter subsystem, specifically in the IPv6 rejection path. When generating TCP reset packets in response to rejected IPv6 connections, nf_reject_ip6_tcphdr_put() allocated space for the TCP header without zero-initializing it. This left the four reserved bits (th->res1) containing uninitialized kernel memory contents that were subsequently transmitted on the network. The flaw was detected by syzbot using KMSAN, which identified the uninit-value bug at net/ipv6/netfilter/nf_reject_ipv6.c:255. The call chain involves nft_reject_inet_eval() for nftables reject rules, propagating through nf_send_reset6() to the vulnerable function. The upstream fix replaces skb_put() with skb_put_zero() to ensure complete header initialization, consistent with the IPv4 implementation in nf_reject_ip_tcphdr_put(). Siemens products incorporating this kernel code are affected, with remediation requiring firmware updates to V3.2 or later versions.
Defensive priority
critical
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected Siemens RUGGEDCOM and SCALANCE products
- Monitor for abnormal TCP reset patterns in IPv6 traffic as potential indicators of exploitation attempts
- Review netfilter nftables rules utilizing reject actions for IPv6 traffic as these trigger the vulnerable code path
- Validate kernel memory sanitization tools are operational in development environments to detect similar uninitialized memory issues
- Coordinate with Siemens support for specific update guidance for SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configurations
Evidence notes
The vulnerability was identified through kernel memory sanitizer (KMSAN) detection of uninitialized value usage in nf_reject_ip6_tcphdr_put() at net/ipv6/netfilter/nf_reject_ipv6.c:255. The fix aligns IPv6 handling with existing IPv4 implementation patterns. Siemens ProductCERT advisory SSA-355557 and CISA ICSA-25-226-07 provide vendor confirmation and affected product enumeration.
Official resources
-
CVE-2024-47685 CVE record
CVE.org
-
CVE-2024-47685 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public