PatchSiren cyber security CVE debrief
CVE-2024-47709 Siemens CVE debrief
A vulnerability in the Linux kernel's Controller Area Network (CAN) Broadcast Manager (BCM) protocol implementation can trigger a warning condition and unnecessary proc entry removal when socket operations occur on unregistered devices. The issue manifests when a socket's connected device is unregistered, and the socket is subsequently closed without issuing a second connect() call. This leads to the bcm_release() function attempting to remove a proc entry that may not exist, potentially causing system instability or denial of service conditions on affected industrial control systems.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment in manufacturing, energy, transportation, and critical infrastructure sectors. Security teams responsible for industrial control system (ICS) maintenance, network administrators managing CAN-enabled devices, and compliance officers tracking CISA-advised vulnerabilities in OT environments.
Technical summary
The vulnerability exists in the Linux kernel's CAN (Controller Area Network) BCM (Broadcast Manager) protocol implementation. When a socket has connected to a CAN device that becomes unregistered, and the socket is closed without a subsequent connect() call, the bcm_release() function incorrectly attempts to remove a proc entry via remove_proc_entry(). This occurs because the bo->bcm_proc_read pointer remains set, triggering the cleanup operation unnecessarily. The condition results in kernel warnings and potential system instability. The issue is classified under CWE-825 (Expired Pointer Dereference) and carries a CVSS 3.1 score of 5.5 (MEDIUM) with high availability impact. Affected Siemens products include RUGGEDCOM RST2428P and multiple SCALANCE industrial Ethernet switch families running vulnerable Linux kernel versions.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE product families per Siemens ProductCERT guidance
- Review and implement CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
- Monitor for anomalous socket behavior or system warnings on affected CAN-enabled devices
- Validate network segmentation to limit local access to critical industrial control system components
- Consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance regarding SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family deployments
Evidence notes
The vulnerability description indicates this is a Linux kernel CAN BCM subsystem issue affecting socket lifecycle management. The CISA CSAF advisory ICSA-25-226-07, republished on 2026-02-25 based on Siemens ProductCERT SSA-355557, identifies affected Siemens industrial networking products. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with low attack complexity, requiring low privileges, with high availability impact. Remediation guidance specifies updating RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to V3.2 or later.
Official resources
-
CVE-2024-47709 CVE record
CVE.org
-
CVE-2024-47709 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12