PatchSiren cyber security CVE debrief
CVE-2024-50142 Siemens CVE debrief
A validation bypass vulnerability in the Linux kernel's XFRM (IPsec) subsystem allows local attackers to create malformed Security Associations (SAs) that bypass prefix length checks. The flaw occurs when `usersa.sel.family` is set to `AF_UNSPEC`, causing `verify_newsa_info` to skip validation of `prefixlen_s` and `prefixlen_d`. However, `copy_from_user_state` later sets `x->sel.family` to `usersa.family` (e.g., `AF_INET`), meaning the unchecked prefix lengths are subsequently used with a concrete address family. This inconsistency could lead to out-of-bounds memory access or kernel crashes when processing IPsec traffic. The vulnerability was discovered by syzbot and affects systems where untrusted users can configure XFRM SAs, including the GNU/Linux subsystem of Siemens SIMATIC S7-1500 TM MFP industrial controllers.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
System administrators managing Linux-based industrial control systems, security teams responsible for IPsec/VPN infrastructure, operators of Siemens SIMATIC S7-1500 TM MFP controllers, and organizations with embedded Linux systems where untrusted users may have access to XFRM configuration interfaces
Technical summary
The XFRM framework in the Linux kernel fails to validate Security Association prefix lengths when the selector family is `AF_UNSPEC`. An attacker can set `usersa.sel.family = AF_UNSPEC` with an invalid `prefixlen_s` value (e.g., 128 for IPv4), while setting `usersa.family = AF_INET`. The validation routine `verify_newsa_info` skips prefix length checks due to the unspecified selector family, but the subsequent `copy_from_user_state` assigns the concrete family, resulting in use of an invalid prefix length. The fix ensures `verify_newsa_info` performs the same family conversion before validation, maintaining consistency with downstream processing.
Defensive priority
medium
Recommended defensive actions
- Apply kernel updates containing the fix for CVE-2024-50142 when available from your Linux distribution or device vendor
- For Siemens SIMATIC S7-1500 TM MFP systems, limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources on affected systems
- Monitor for anomalous IPsec/XFRM configuration attempts in system logs
- Review and restrict capabilities and permissions for users who can configure IPsec policies
- Consider network segmentation to limit exposure of industrial control systems that cannot be immediately patched
Evidence notes
The vulnerability description indicates this is a logic error in kernel input validation. The fix expands upon commit 07bf7908950a by performing the same family conversion in `verify_newsa_info` before validating prefix lengths, ensuring consistency with how `copy_from_user_state` handles the selector family. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms local attack vector with low complexity, requiring low privileges, with high availability impact but no confidentiality or integrity impact.
Official resources
-
CVE-2024-50142 CVE record
CVE.org
-
CVE-2024-50142 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09