PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-27004 Siemens CVE debrief

A vulnerability in the Linux kernel clock framework could allow a local attacker to cause a denial-of-service condition. The issue occurs when the kernel's clock subsystem walks the clock tree during the disable_unused operation without first obtaining a runtime PM (Power Management) reference. This race condition can lead to use-after-free or null pointer dereference scenarios when clock providers are powered down unexpectedly during tree traversal. The vulnerability affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE X-family switches. Siemens has released firmware updates to address this issue.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-09
Original CVE updated
2026-05-14
Advisory published
2024-04-09
Advisory updated
2026-05-14

Who should care

Organizations operating Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family switches, SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices, or RUGGEDCOM RST2428P industrial Ethernet switches in critical infrastructure environments. System administrators maintaining Linux-based industrial control systems with custom clock implementations. Security teams responsible for OT/ICS vulnerability management and patch coordination. Asset owners subject to NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks requiring timely vulnerability remediation.

Technical summary

The vulnerability exists in the Linux kernel's common clock framework (drivers/clk/clk.c). During system suspend or clock disabling operations, the disable_unused function traverses the clock provider tree to identify and disable unused clocks. The original implementation performed this tree walk without first acquiring a runtime power management (runtime PM) reference on the clock provider devices. This creates a race condition where a clock provider could be powered down by the runtime PM subsystem while the tree walk is in progress, leading to use-after-free access to device memory or null pointer dereferences when accessing powered-down hardware registers. The resolution ensures runtime PM is acquired before tree traversal and properly released afterward, maintaining device power state consistency throughout the operation. The vulnerability is exploitable only locally with low privileges, making it primarily a concern for multi-user systems or compromised application contexts on affected industrial devices.

Defensive priority

medium

Recommended defensive actions

  • Apply vendor firmware updates to V3.1 or later for affected SCALANCE and RUGGEDCOM devices per Siemens ProductCERT guidance
  • Review and implement CISA ICS recommended practices for defense-in-depth strategies
  • Monitor Siemens ProductCERT security advisories for additional affected product notifications
  • Validate runtime PM handling in custom Linux kernel builds if maintaining forked clock subsystem code
  • Implement network segmentation and access controls to limit local attack vector exposure on affected industrial devices

Evidence notes

The vulnerability description indicates a resolved Linux kernel issue in the clock (clk) subsystem. The fix involves obtaining runtime PM before walking the clock tree during disable_unused operations. This is a local attack vector requiring low privileges with no user interaction, resulting in high availability impact. The CVSS 3.1 vector confirms AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H scoring. Siemens ProductCERT advisory SSA-613116 provides vendor-specific context and remediation guidance. CISA advisory ICSA-25-226-15 republishes this information for industrial control systems stakeholders.

Official resources

2025-08-12