CVE-2024-47692 Siemens CVE debrief

Who should care

System administrators managing Linux-based NFS servers, particularly in industrial environments using affected Siemens networking equipment. Organizations running nfsd with client tracking enabled should prioritize validation of their nfsdcld database integrity.

Technical summary

The vulnerability exists in the nfsd (NFS server) component of the Linux kernel. When the nfsdcld daemon processes client reclaim data from a corrupted main.sqlite database, a namelen value of 0 causes memdup_user() to return ZERO_SIZE_PTR (0x10). The subsequent dereference of name.data in nfs4_client_to_reclaim() results in a null pointer dereference at address 0x10. The fix validates namelen before calling memdup_user(), returning -EINVAL for zero-length names. This is a local vulnerability requiring a corrupted database file, but could lead to denial of service of the NFS server functionality.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided firmware updates for affected Siemens industrial networking products when available
• Monitor for patches from Linux distribution vendors for systems running nfsd
• Validate integrity of /var/lib/nfs/nfsdcld/main.sqlite on NFS server systems
• Implement network segmentation to limit exposure of NFS services
• Review CISA ICS recommended practices for industrial control system security

Evidence notes

The vulnerability was disclosed in CISA advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The kernel fix adds validation to return -EINVAL when namelen is 0, preventing the null pointer dereference. The KASAN report shows the crash occurs in nfs4_client_to_reclaim+0xe9/0x260 with a read of size 1 at address 0x0000000000000010.

Official resources