CVE-2024-50035 Siemens CVE debrief

Who should care

Industrial control system operators, OT security teams, Siemens SIMATIC S7-1500 TM MFP administrators, Linux kernel maintainers for embedded/ICS environments, and organizations running PPPoE implementations on hardened Linux subsystems in critical infrastructure.

Technical summary

The vulnerability exists in ppp_async_encode() within drivers/net/ppp/ppp_async.c. When pppoe_sendmsg() is invoked with a zero-size payload, an empty socket buffer (skb) is created and passed through the PPP channel bridge to ppp_async_encode(). The function attempts to access skb data without proper validation of the buffer's content state, resulting in use of uninitialized slab memory. The call chain involves: pppoe_sendmsg() → release_sock() → __release_sock() → sk_backlog_rcv() → pppoe_rcv_core() → ppp_input() → ppp_channel_bridge_input() → ppp_async_send() → ppp_async_push() → ppp_async_encode(). The uninitialized memory is allocated via kmalloc_reserve() → kmem_cache_alloc_node_noprof() in the slab allocator.

Defensive priority

HIGH

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Build and run only applications from trusted sources
• Monitor for anomalous PPPoE traffic patterns indicating potential exploitation attempts
• Apply kernel updates when Siemens releases patched firmware for the affected product
• Implement network segmentation to limit exposure of industrial control system interfaces

Evidence notes

The vulnerability was reported by syzbot and resolved in the Linux kernel. The KMSAN (Kernel Memory Sanitizer) report confirms uninitialized memory access at ppp_async_encode() in drivers/net/ppp/ppp_async.c:545 when pppoe_sendmsg() is called with zero size, resulting in an empty skb being processed. The uninitialized memory originates from slab allocation in sock_wmalloc() during skb allocation.

Official resources