CVE-2024-49955 Siemens CVE debrief

Who should care

System administrators managing Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE XC/XR/XCM/XRM/XCH/XRH families), Linux kernel maintainers for embedded/industrial systems, OT security teams responsible for patch management in critical infrastructure environments

Technical summary

The vulnerability exists in drivers/acpi/battery.c where battery_hook_unregister() does not check if a hook has already been unregistered. When acpi_battery_add() fails after registering a hook, battery_hook_unregister() is called automatically. The hook provider, unaware of this automatic unregistration, later calls battery_hook_unregister() again, causing a list corruption or null pointer dereference. The fix adds a list_empty() check to battery_hook_unregister() to skip already-unregistered hooks. This is a classic use-after-free pattern where state synchronization between automatic and manual unregistration paths is missing.

Defensive priority

medium

Recommended defensive actions

• Update affected Siemens products to version 3.2 or later as specified in vendor advisory
• For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult vendor documentation for specific configuration guidance
• Apply defense-in-depth practices for industrial control systems per CISA recommendations
• Monitor for kernel updates from Linux distribution vendors for non-Siemens systems
• Review battery hook implementations in custom kernel modules for similar patterns

Evidence notes

Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, requiring low privileges, resulting in high availability impact.

Official resources