CVE-2024-56645 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P serial servers and SCALANCE managed switches in critical infrastructure environments, particularly those utilizing CAN bus and J1939 protocol stacks for industrial automation and vehicle network communications.

Technical summary

The vulnerability exists in the Linux kernel's J1939 protocol implementation for Controller Area Network (CAN) communication. The j1939_session_new() function fails to properly increment the socket buffer reference count, creating a mismatch with j1939_session_skb_queue() behavior. This reference count underflow can lead to premature freeing of socket buffers and subsequent use-after-free conditions. The flaw is remediated by adding an explicit skb_get() call to ensure proper reference counting symmetry. The vulnerability is exploitable only with local access and low privileges, limiting attack surface to authenticated users or compromised local processes.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE products per Siemens ProductCERT guidance
• For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT SSA-355557 for specific configuration guidance
• Implement network segmentation to limit local access to affected industrial control devices
• Monitor for anomalous CAN bus traffic patterns that may indicate exploitation attempts
• Follow CISA ICS recommended practices for defense-in-depth strategies
• Review and apply Siemens security advisories for SINEC OS-based products on a recurring basis

Evidence notes

CVE published 2025-08-12 per CISA CSAF advisory ICSA-25-226-07. Siemens ProductCERT SSA-355557 provides vendor confirmation and remediation guidance. CVSS 3.1 vector confirms local attack vector with low attack complexity.

Official resources