CVE-2024-56570 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH families, particularly in critical infrastructure and OT environments where Linux-based embedded systems are deployed.

Technical summary

The vulnerability exists in the Linux kernel's overlay filesystem (overlayfs) implementation. The ovl_dentry_weird() function failed to validate that directory inodes possess a lookup function before processing. Directory inodes without this function, when passed to the lowerstack, cause operational errors. The fix adds an explicit check to filter such invalid inodes, preventing their propagation through the overlayfs stack. This is a defensive validation improvement with availability impact (CVSS 3.1: 5.5 MEDIUM).

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided updates to affected Siemens industrial networking products: update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family to V3.2 or later
• For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and update instructions
• Review kernel overlayfs configurations in affected systems to ensure proper inode validation
• Monitor Siemens ProductCERT and CISA ICS advisories for additional updates or clarifications to affected product configurations

Evidence notes

The vulnerability description indicates a kernel-level fix in overlayfs to prevent processing of directory inodes without lookup functions. Siemens ProductCERT advisory SSA-355557 (referenced via CISA ICSA-25-226-07) confirms affected products and remediation guidance. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, requiring low privileges, resulting in high availability impact.

Official resources