CVE-2024-53042 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled; OT security teams managing Linux-based industrial devices; kernel maintainers and network stack developers

Technical summary

The vulnerability exists in `ip_tunnel_init_flow()` within the Linux kernel's IPv4 IP tunnel implementation. The function calls `l3mdev_master_upper_ifindex_by_index_rcu()` without ensuring the RCU read lock is held, violating RCU usage conventions. When CONFIG_PROVE_RCU or similar debugging is enabled, this triggers a suspicious RCU usage warning indicating RCU-list traversal in a non-reader section. The resolution substitutes `l3mdev_master_upper_ifindex_by_index()`, which internally acquires `rcu_read_lock()` before accessing RCU-protected data structures. This is a correctness fix that prevents potential use-after-free or data corruption scenarios in network device layer operations.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from Siemens when available per advisory guidance
• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Build and run applications only from trusted sources
• Monitor for anomalous network tunnel behavior or kernel warnings
• Review CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

The vulnerability was resolved in the Linux kernel by modifying `ip_tunnel_init_flow()` to use the non-RCU variant of the function that internally manages RCU read lock acquisition. The warning was observed in kernel version 6.12.0-rc3 with debug locks enabled, showing RCU-list traversal in non-reader section at net/core/dev.c:876 while holding rtnl_mutex.

Official resources