PatchSiren cyber security CVE debrief

CVE-2024-53171 Siemens CVE debrief

This CVE addresses a use-after-free vulnerability in the UBIFS (Unsorted Block Image File System) authentication subsystem within the Linux kernel. The flaw occurs during TNC (Tree Node Cache) operations where tree structure changes after node insertion can lead to stale parent pointer references. Specifically, when the tree splits during insertion, a node's `znode->parent` may change, but its `znode->cparent` (commit parent) pointer may not be properly updated. Subsequent node deletions can free the memory that `znode->cparent` still references. During the commit phase in `ubifs_tnc_start_commit()` and `ubifs_tnc_end_commit()`, accessing this stale `znode->cparent` in `write_index()` triggers the use-after-free condition. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM severity) with local attack vector, low attack complexity, and low privileges required, resulting in high availability impact. Siemens has identified affected products in their industrial networking equipment lines including RUGGEDCOM RST2428P and SCALANCE families running SINEC OS. CISA published this advisory on August 12, 2025, with subsequent updates through February 25, 2026, including corrections to affected product lists and advisory republication based on Siemens ProductCERT updates.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking infrastructure including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH family devices in manufacturing, energy, transportation, and critical infrastructure sectors where SINEC OS-based systems are deployed.

Technical summary

The vulnerability exists in UBIFS (Unsorted Block Image File System) TNC (Tree Node Cache) handling during authentication-enabled operations. When the B+ tree structure splits after node insertion, `znode->parent` pointers are updated but `znode->cparent` (commit parent) pointers may retain stale references. If subsequent deletions free the referenced memory, the commit phase functions `ubifs_tnc_start_commit()` and `ubifs_tnc_end_commit()` will access freed memory through `write_index()`, causing kernel memory corruption and potential denial of service. The local attack vector requires authenticated access to trigger the specific UBIFS operations sequence.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices per Siemens ProductCERT guidance
For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, consult Siemens ProductCERT SSA-355557 for specific configuration and patch guidance
Implement network segmentation for industrial control systems to limit local attack vector exposure
Monitor for anomalous system behavior or unexpected reboots on affected UBIFS-enabled devices that could indicate exploitation attempts
Review and apply CISA ICS recommended practices for defense-in-depth strategies
Validate file system integrity on UBIFS volumes after system maintenance or unexpected shutdowns
resourceLinkAnnotations:ref-4,ref-5,ref-6,ref-8

Evidence notes

Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-07. Affected products confirmed through Siemens ProductCERT SSA-355557. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack with availability impact. Remediation guidance specifies update to V3.2 or later for RUGGEDCOM and SCALANCE XCM-/XRM-/XCH-/XRH-300 families.

Official resources

2025-08-12