CVE-2024-49982 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE X-family managed switches (XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families) running SINEC OS. System administrators responsible for Linux kernel security in environments using AoE for storage networking. OT security teams managing industrial control system networks where these devices provide critical infrastructure connectivity.

Technical summary

The vulnerability exists in the Linux kernel's ATA over Ethernet (AoE) subsystem, specifically in how network device reference counts are managed during packet transmission. The AoE driver uses aoenet_xmit() to enqueue packets for transmission through a tx() function. Following a previous security fix (CVE-2023-6270, commit f98364e92662), dev_put() was relocated to tx() to prevent use-after-free in aoecmd_cfg_pkts(). However, this change was not accompanied by corresponding dev_hold() calls in five other functions that also use aoenet_xmit(): revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). The resulting reference count imbalance could drive skb->dev's reference count negative, causing premature freeing of the net_device structure. Subsequent access to this freed memory constitutes a use-after-free vulnerability. The attack surface is local, requiring an attacker to have low-privilege access to trigger AoE operations that exercise these code paths. Successful exploitation could corrupt kernel memory, leading to privilege escalation, denial of service, or information disclosure.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices per Siemens ProductCERT guidance
• For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and patch availability
• Implement network segmentation to limit exposure of affected industrial control system devices
• Monitor for anomalous local access attempts on systems running affected SINEC OS versions
• Review and apply CISA ICS recommended practices for defense-in-depth strategies
• Validate reference counting patterns in custom kernel modules using skb->dev to prevent similar use-after-free conditions

Evidence notes

The vulnerability description indicates this is a follow-on fix to CVE-2023-6270, addressing additional use-after-free paths discovered by Nicolai Stange in the AoE driver. The root cause was identified as missing dev_hold() calls in multiple functions that use aoenet_xmit() to queue packets for transmission, combined with dev_put() being moved to tx(). Siemens ProductCERT advisory SSA-355557 (republished by CISA as ICSA-25-226-07) confirms affected products include RUGGEDCOM RST2428P and SCALANCE X-family switches running SINEC OS. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates local attack vector with low attack complexity and low privileges required, but high impacts across all three security dimensions.

Official resources