PatchSiren cyber security CVE debrief
CVE-2024-5535 Siemens CVE debrief
CVE-2024-5535 is a medium-severity issue in Siemens SIDIS Prime tied to direct use of OpenSSL’s SSL_select_next_proto with an empty supported client protocols buffer. According to the advisory, that can lead to a buffer overread, a crash, or disclosure of up to 255 bytes of memory to the peer. The advisory says the vulnerable scenario usually comes from a configuration or programming error rather than normal attacker control.
- Vendor
- Siemens
- Product
- SIDIS Prime
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-05-06
Who should care
Siemens SIDIS Prime operators, OT security teams, and application developers who directly use OpenSSL TLS negotiation callbacks or APIs—especially where ALPN or the older NPN path is configured.
Technical summary
The advisory says SSL_select_next_proto expects protocol lists from the server and client and is intended to select the first overlapping protocol. If it is called with a zero-length client protocol list, it fails to recognize that condition and can return memory immediately following the client list pointer. In the described impact, that can produce a crash or expose private memory to the peer. The advisory notes that ALPN is generally protected by libssl’s handling of the client list, while NPN is older, deprecated, and more likely to be involved if applications call the API incorrectly. The source also states that the issue is low severity overall because it typically requires a configuration or programming error and is not usually attacker-controlled. The advisory further states that the OpenSSL FIPS modules in 3.3, 3.2, 3.1, and 3.0 are not affected.
Defensive priority
Medium for affected deployments: prioritize if your codebase directly calls SSL_select_next_proto or if Siemens SIDIS Prime is deployed with custom TLS negotiation logic that could pass an empty protocol list.
Recommended defensive actions
- Update Siemens SIDIS Prime to V4.0.700 or later, as specified in the advisory.
- Review any direct use of SSL_select_next_proto and confirm zero-length protocol lists cannot be passed.
- Audit ALPN/NPN callback code for incorrect client/server parameter ordering and empty-list handling.
- Validate TLS negotiation configurations so a 'no overlap' result is handled safely and does not continue with invalid output.
- Monitor for unexpected crashes or abnormal TLS handshake behavior in affected systems.
Evidence notes
Based on the CISA CSAF advisory for ICSA-25-100-02 and Siemens product security references. The advisory identifies Siemens SIDIS Prime as the affected product, gives the impact as buffer overread/confidentiality loss/crash, and recommends updating to V4.0.700 or later. The published advisory date is 2025-04-08; the 2025-05-06 modification is recorded as a typo fix.
Official resources
-
CVE-2024-5535 CVE record
CVE.org
-
CVE-2024-5535 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the Siemens/CISA advisory published on 2025-04-08 and revised on 2025-05-06 for typo corrections. Not listed as a CISA KEV item in the supplied corpus.