PatchSiren cyber security CVE debrief
CVE-2024-56770 Siemens CVE debrief
A vulnerability in the Linux kernel's netem (network emulator) scheduler can cause network interfaces to stop transferring packets entirely, resulting in a denial-of-service condition. The flaw occurs when the child queueing discipline (qdisc) and tfifo (time-ordered FIFO) are empty, but the 'qlen' counter incorrectly indicates the tfifo has reached its limit, preventing further packet acceptance. This effectively locks the interface and halts all network traffic. The vulnerability affects Siemens industrial networking products running SINEC OS, including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH families. Local attackers with low privileges can trigger this condition, causing high availability impact with no confidentiality or integrity effects.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE industrial Ethernet switches in critical infrastructure, manufacturing, or utility environments. Network administrators responsible for traffic shaping or network emulation configurations using netem qdiscs. Industrial control system security teams monitoring for availability risks in OT networks.
Technical summary
The vulnerability exists in the net/sched netem implementation where queue length tracking becomes desynchronized from actual queue state. When the child qdisc and tfifo are empty but qlen reports the tfifo at capacity, the scheduler rejects all new packets. This creates a persistent denial-of-service condition on the affected network interface until the interface is reset or the system is rebooted. The flaw is triggered through local access with low privileges, making it exploitable by authenticated users or compromised service accounts on affected Siemens industrial networking equipment.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to SINEC OS V3.2 or later for affected RUGGEDCOM and SCALANCE devices
- Monitor network interface statistics for unexpected qlen discrepancies or traffic cessation on netem-enabled interfaces
- Implement network segmentation to limit exposure of industrial control system devices
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Review Siemens ProductCERT advisory SSA-355557 for configuration-specific guidance on SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family deployments
Evidence notes
The vulnerability description indicates a state inconsistency in the netem scheduler where qlen desynchronization causes packet flow cessation. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms local attack vector with high availability impact. Siemens ProductCERT SSA-355557 and CISA ICSA-25-226-07 provide coordinated disclosure. Remediation requires updating affected Siemens devices to SINEC OS V3.2 or later.
Official resources
-
CVE-2024-56770 CVE record
CVE.org
-
CVE-2024-56770 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12