PatchSiren cyber security CVE debrief
CVE-2024-57901 Siemens CVE debrief
A vulnerability in the Linux kernel's af_packet subsystem allows local attackers to trigger a kernel crash (denial of service) when using the MSG_PEEK flag with packet socket operations. The flaw exists in vlan_get_protocol_dgram(), which incorrectly modifies socket buffer (skb) state during peek operations, leading to skb_under_panic and a kernel BUG assertion. This vulnerability was discovered by syzbot and affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that include a GNU/Linux subsystem. The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack vector with low complexity and high availability impact. No patch is currently available from the vendor; mitigations focus on restricting access to trusted personnel and running only trusted applications.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators using Siemens SIMATIC S7-1500 TM MFP with GNU/Linux subsystem; Linux kernel maintainers; OT security teams managing packet socket applications; organizations running custom networking applications on embedded Linux systems in critical infrastructure.
Technical summary
The vulnerability resides in net/packet/af_packet.c in the vlan_get_protocol_dgram() function. When handling packet socket receive operations with the MSG_PEEK flag, the function incorrectly pushes data onto the socket buffer (skb), causing skb->data to underflow below skb->head. This triggers skb_under_panic() and a kernel BUG assertion, resulting in system crash. The root cause is that the blamed commit added VLAN protocol handling without accounting for MSG_PEEK semantics, which should not modify skb state. The fix restructures vlan_get_protocol_dgram() to operate without touching the skb, enabling safe concurrent use across multiple CPUs, and adds const qualification to prevent modification. The crash was reproduced by syzbot using syz-executor883 on kernel 6.13.0-rc4 with KASAN and PTI enabled.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
- Implement application whitelisting to ensure only trusted applications are built and executed on the GNU/Linux subsystem
- Monitor for anomalous local process activity involving packet socket operations
- Apply vendor patches when released by Siemens
- Review network segmentation to limit exposure of affected industrial control systems
Evidence notes
The vulnerability description and stack trace are sourced from CISA ICS advisory ICSA-24-102-01, which references Siemens security advisory SSA-265688. The kernel crash dump shows skb_under_panic at net/core/skbuff.c:206 triggered through vlan_get_protocol_dgram() → skb_push() call chain during packet_recvmsg() with MSG_PEEK. The fix involves reworking vlan_get_protocol_dgram() to not modify the skb and adding const qualifier for safe concurrent access.
Official resources
-
CVE-2024-57901 CVE record
CVE.org
-
CVE-2024-57901 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09