PatchSiren cyber security CVE debrief

CVE-2024-50033 Siemens CVE debrief

CVE-2024-50033 is a HIGH-severity vulnerability (CVSS 7.1) in the Linux kernel's SLIP/PPP header compression code. The flaw exists in `slhc_remember()` within `drivers/net/slip/slhc.c`, which performed insufficient validation on incoming packets. The function only verified that packets were at least 20 bytes, failing to ensure that IPv4 and TCP headers were actually present and properly formed. This deficiency allowed malicious packets to trigger use of uninitialized memory, as detected by syzbot with KMSAN. The vulnerability was resolved by adding proper header validation and introducing `iph` and `th` pointers to improve code readability and robustness. Siemens has identified affected products in its industrial networking portfolio, including RUGGEDCOM RST2428P and SCALANCE switch families, and has issued patches.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2026-05-14
Advisory published: 2024-04-09
Advisory updated: 2026-05-14

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P and SCALANCE switch families; system administrators managing Linux-based systems with PPP/SLIP interfaces; OT/ICS security teams responsible for network infrastructure in critical manufacturing, energy, and transportation sectors; and security researchers tracking kernel-level networking vulnerabilities.

Technical summary

The vulnerability resides in the Serial Line Internet Protocol (SLIP) header compression implementation in the Linux kernel. The `slhc_remember()` function, used for Van Jacobson TCP/IP header compression in PPP/SLIP connections, performed inadequate packet validation. It checked only that the packet length was at least 20 bytes (the minimum combined size of IPv4 and TCP headers without options) but did not verify that the packet actually contained valid IPv4 and TCP headers at the expected offsets. This allowed maliciously crafted packets to pass the length check while lacking proper headers, causing the function to access uninitialized memory when attempting to parse non-existent header fields. The fix adds explicit validation to ensure the packet includes the IPv4 and TCP headers that are expected to be present, and refactors the code with dedicated `iph` and `th` pointers for improved clarity and safety.

Defensive priority

HIGH

Recommended defensive actions

Apply vendor-provided firmware updates to V3.2 or later for affected Siemens RUGGEDCOM and SCALANCE products
For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance
Implement network segmentation to limit exposure of PPP/SLIP interfaces to untrusted networks
Monitor for anomalous PPP/PPPoE traffic patterns that may indicate exploitation attempts
Apply principle of least privilege to limit local access to PPP/SLIP network interfaces
Review and apply CISA ICS recommended practices for defense-in-depth strategies
Consider disabling SLIP/PPP header compression if not required for operational functionality

Evidence notes

The vulnerability was discovered through syzbot fuzzing with KMSAN (Kernel Memory Sanitizer), which detected uninitialized memory usage in `slhc_remember()` at line 666 of `drivers/net/slip/slhc.c`. The call chain involved PPP/PPPoE processing: `pppoe_rcv_core` → `ppp_input` → `ppp_do_recv` → `ppp_receive_frame` → `ppp_receive_nonmp_frame` → `slhc_remember`. The root cause was that `slhc_remember()` only checked `len >= 20` without verifying the actual presence of valid IPv4 and TCP headers.

Official resources

2025-08-12