PatchSiren cyber security CVE debrief
CVE-2024-56672 Siemens CVE debrief
A use-after-free (UAF) vulnerability exists in the Linux kernel's block cgroup (blk-cgroup) subsystem. The flaw occurs in blkcg_unpin_online(), which walks up the blkcg hierarchy to release online pins. The function calls blkcg_parent(blkcg) after blkcg_destroy_blkgs(blkcg), which may have already freed the blkcg structure, resulting in a use-after-free condition. This vulnerability affects Siemens SIMATIC S7-1500 TM MFP devices that utilize the GNU/Linux subsystem. The CVSS 3.1 vector indicates a local attack vector with high attack complexity, requiring low privileges but no user interaction, with high impact to confidentiality, integrity, and availability.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled should prioritize this vulnerability. System administrators responsible for OT/ICS environments, security teams managing industrial control infrastructure, and personnel with access to the device's interactive shell are directly affected. Given the high severity rating and potential for privilege escalation or system compromise, this vulnerability warrants immediate attention in critical manufacturing, energy, and process control environments where these devices are deployed. The local attack vector and high complexity reduce but do not eliminate risk, particularly in multi-user or compromised scenarios.
Technical summary
The vulnerability exists in the Linux kernel's block cgroup (blk-cgroup) code, specifically in the blkcg_unpin_online() function. This function is responsible for walking up the blkcg hierarchy and releasing online pins. The defect arises because blkcg_parent(blkcg) is called after blkcg_destroy_blkgs(blkcg), which may free the blkcg structure. This creates a race condition where the parent pointer is accessed after potential deallocation, leading to use-after-free memory corruption. The vulnerability is classified under CWE-416 (Use After Free). The affected code path is triggered during block cgroup teardown operations.
Defensive priority
HIGH
Recommended defensive actions
- Restrict access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for security updates from Siemens for patch availability
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Review and implement ICS-CERT recommended practices for securing industrial control systems
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-24-102-01, which references Siemens security advisory SSA-265688. The flaw was resolved in the Linux kernel with a fix for the UAF condition in blkcg_unpin_online(). The affected product is the GNU/Linux subsystem within Siemens SIMATIC S7-1500 TM MFP industrial control devices.
Official resources
-
CVE-2024-56672 CVE record
CVE.org
-
CVE-2024-56672 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09