PatchSiren cyber security CVE debrief

CVE-2024-56779 Siemens CVE debrief

## Summary CVE-2024-56779 is a vulnerability in the Linux kernel's NFS server (nfsd) that can cause a memory leak of nfs4_openowner structures when concurrent nfsd4_open operations occur. The issue manifests during forced unmount operations (umount -f), where the system attempts to kill all RPC tasks even if the unmount ultimately fails due to open files. This can result in duplicate RPC tasks being sent to the NFS server. ## Affected Products Siemens has identified this vulnerability as affecting the following industrial networking products: - **RUGGEDCOM RST2428P (6GK6242-6PA00)** - **SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family** - **SCALANCE XCM-/XRM-/XCH-/XRH-300 family** These products incorporate third-party Linux kernel components that include the vulnerable nfsd implementation. ## Technical Details The vulnerability stems from improper handling of nfs4_openowner structures during concurrent NFSv4 open operations. When a forced unmount is initiated: 1. The system attempts to terminate all RPC tasks associated with the mount 2. If files remain open, the unmount may fail but RPC task cleanup may be incomplete 3. Subsequent file open attempts can create duplicate RPC tasks 4. This leads to memory leaks of nfs4_openowner structures The root cause is classified under CWE-401: Missing Release of Memory after Effective Lifetime. ## Timeline - **2025-08-12**: Initial CVE publication and CISA advisory ICSA-25-226-07 released - **2026-02-12**: Advisory updated to correct affected products list - **2026-02-24**: Additional clarification on SCALANCE family configurations; rejected CVEs removed - **2026-02-25**: CISA republication based on updated Siemens ProductCERT advisory SSA-355557 ## Risk Assessment This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. No CVSS score has been assigned in the available sources. The memory leak condition could potentially lead to resource exhaustion on affected systems, particularly in environments with frequent forced unmount operations and concurrent NFS access patterns. ## Recommended Actions Organizations operating affected Siemens industrial networking equipment are:

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC/XR/XCM/XRM/XCH/XRH series switches in industrial environments with NFS dependencies; OT security teams managing firmware lifecycle for industrial networking infrastructure.

Technical summary

Kernel-level memory leak in nfsd NFSv4 server implementation affecting Siemens industrial networking equipment. Triggered by concurrent nfsd4_open operations during forced unmount scenarios.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT advisory SSA-355557 for specific patch availability and version information
Apply vendor-provided firmware updates when available per organizational change management procedures
Monitor NFS server memory utilization for signs of resource exhaustion
Limit use of forced unmount operations (umount -f) on production NFS mounts where possible
Implement network segmentation for industrial control systems per CISA ICS recommended practices
Follow CISA guidance for defense-in-depth strategies for industrial control systems

Evidence notes

Source: CISA CSAF advisory ICSA-25-226-07, derived from Siemens ProductCERT SSA-355557. CWE-401 classification from source references.

Official resources

2025-08-12