PatchSiren cyber security CVE debrief
CVE-2024-49949 Siemens CVE debrief
CVE-2024-49949 is a medium-severity vulnerability in the Linux kernel's networking subsystem, specifically within the `qdisc_pkt_len_init()` function when handling UFO (UDP Fragmentation Offload) packets. The issue involves a potential integer underflow that could lead to denial of service conditions. The vulnerability was resolved in the upstream Linux kernel. Siemens has identified affected products in their industrial networking portfolio, including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH family devices running SINEC OS. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local attack vector with low attack complexity, requiring low privileges but no user interaction, resulting in high availability impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH family devices. System administrators managing Linux-based industrial control systems, OT security teams responsible for network infrastructure in manufacturing, energy, and critical infrastructure sectors, and vulnerability management programs tracking third-party component vulnerabilities in embedded industrial products.
Technical summary
The vulnerability exists in the Linux kernel's network queueing discipline (qdisc) subsystem. The `qdisc_pkt_len_init()` function, which initializes packet length information for traffic shaping and scheduling, contains a potential integer underflow when processing packets with UDP Fragmentation Offload (UFO) enabled. An underflow in packet length calculations could cause the kernel to process invalid length values, potentially leading to memory corruption or system crashes. The attack requires local access with low privileges, making it primarily a concern for multi-user systems or containerized environments where untrusted users may have local access. For the affected Siemens industrial products, exploitation would require an attacker to have established some level of access to the device or network segment.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices per Siemens ProductCERT guidance
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, consult Siemens ProductCERT advisory SSA-355557 for specific configuration and patch guidance
- Implement network segmentation for industrial control systems to limit exposure of affected devices
- Monitor for anomalous network traffic patterns that could indicate attempted exploitation of kernel networking vulnerabilities
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
- Validate that UDP fragmentation offload (UFO) features are disabled or properly configured if not required for operational functionality
Evidence notes
Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The issue was resolved in the Linux kernel upstream. Siemens remediation guidance specifies firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE products.
Official resources
-
CVE-2024-49949 CVE record
CVE.org
-
CVE-2024-49949 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12