PatchSiren cyber security CVE debrief
CVE-2024-27000 Siemens CVE debrief
A missing spinlock in the Freescale i.MX28 AUART driver (mxs-auart) can trigger a kernel warning when Bluetooth drivers invoke uart_handle_cts_change() without holding the required uport->lock. The upstream Linux kernel fix adds proper locking around CTS state changes. Siemens has confirmed this affects select SCALANCE and RUGGEDCOM industrial switches running SINEC OS, with updates available in V3.1 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- NONE
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Operators of Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P industrial Ethernet switches; embedded Linux developers using i.MX28 AUART with Bluetooth HCI UART drivers; industrial control system administrators maintaining SINEC OS deployments
Technical summary
The mxs-auart driver for Freescale i.MX28 processors fails to hold uport->lock when calling uart_handle_cts_change(), violating the serial_core API requirement. This can trigger a kernel WARNING splat when the Bluetooth stack (hci_uart) initializes and generates CTS change interrupts. The fix adds proper spinlock acquisition around CTS state changes in the IRQ handler. While the kernel warning indicates a locking violation, the CVSS scoring suggests limited security impact under standard configurations. Siemens industrial switches using affected kernel versions are vulnerable and require SINEC OS V3.1+ for remediation.
Defensive priority
medium
Recommended defensive actions
- Apply vendor fix: Update affected Siemens SCALANCE and RUGGEDCOM devices to SINEC OS V3.1 or later
- Verify serial driver patch status on embedded Linux systems using mxs-auart driver, particularly i.MX28-based devices with Bluetooth connectivity
- Review kernel logs for uart_handle_cts_change warnings as indicator of vulnerable code path activation
- Implement network segmentation for industrial control systems per CISA ICS recommended practices
- Monitor Siemens ProductCERT advisories for additional affected product announcements
Evidence notes
The vulnerability is a race condition in the mxs-auart driver where uart_handle_cts_change() is called without holding uport->lock, violating the serial_core API contract. The kernel splat shows this occurs during Bluetooth initialization (hci_power_on workqueue) on i.MX28 hardware. Siemens ProductCERT SSA-613116 and CISA ICSA-25-226-15 document affected industrial networking products. The CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N indicates network attack vector with high complexity, requiring user interaction, with no impact to confidentiality, integrity, or availability in the scored configuration.
Official resources
-
CVE-2024-27000 CVE record
CVE.org
-
CVE-2024-27000 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12