CVE-2024-57902 Siemens CVE debrief

Who should care

System administrators of industrial control systems using Siemens SIMATIC S7-1500 TM MFP with GNU/Linux subsystem extensions; Linux kernel maintainers for embedded/ICS deployments; security teams monitoring OT/ICS environments for denial-of-service conditions

Technical summary

The vulnerability resides in the AF_PACKET socket implementation's vlan_get_tci() function, which failed to handle the MSG_PEEK case correctly. When MSG_PEEK is used to inspect VLAN-tagged packets without consuming them, the function attempts skb_push operations that can corrupt socket buffer state when accessed concurrently. This leads to skb_under_panic and kernel crash. The fix restructures vlan_get_tci() to be read-only with respect to skb data, enabling safe concurrent access. The issue affects Siemens SIMATIC S7-1500 TM MFP industrial controllers using the GNU/Linux subsystem for extended functionality.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Only build and run applications from trusted sources
• Monitor for kernel panic events related to skb_under_panic in system logs
• Apply vendor security updates when available for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem
• Consider network segmentation to limit exposure of affected industrial control systems

Evidence notes

The vulnerability was identified through automated fuzzing by syzbot, with a reproducible kernel panic trace showing skb_under_panic at net/core/skbuff.c:206. The crash occurs in vlan_get_tci() at net/packet/af_packet.c:565 when skb_push operations fail due to buffer underflow during MSG_PEEK processing. The fix involves reworking vlan_get_tci() to not modify skb state and adding const qualifier for thread safety.

Official resources