PatchSiren cyber security CVE debrief
CVE-2024-27013 Siemens CVE debrief
A vulnerability in the Linux kernel's TUN/TAP driver could allow an attacker to cause a denial of service (DoS) condition through soft lockup. The issue occurs when the `vhost_worker` calls TUN callbacks to receive packets. If a high volume of illegal packets arrives, the `tun_do_read` function continuously dumps packet contents to the console. When console output is enabled, this excessive logging consumes significant CPU resources, potentially triggering a soft lockup detection. The vulnerability has been resolved by implementing the `net_ratelimit` mechanism to restrict the rate of packet content dumping. This is a local attack vector requiring low attack complexity and low privileges, with no impact to confidentiality or integrity, but high availability impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations running virtualized environments with TUN/TAP interfaces, particularly those using affected Siemens industrial networking equipment (SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P). System administrators managing KVM/QEMU virtualization hosts and industrial control system operators should prioritize patching.
Technical summary
The vulnerability exists in the Linux kernel's TUN (network tunnel) driver, specifically in how `tun_do_read` handles illegal packets. When `vhost_worker` invokes TUN callbacks for packet reception, malformed or illegal packets trigger verbose packet content dumping. Without rate limiting, sustained attack traffic causes excessive CPU consumption through console I/O operations, leading to soft lockup conditions. The fix implements `net_ratelimit` to throttle these diagnostic messages. CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5 Medium).
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to V3.1 or later version for affected Siemens SCALANCE and RUGGEDCOM products
- Monitor system logs for excessive TUN-related console output that may indicate exploitation attempts
- Implement network segmentation to limit exposure of TUN/TAP interfaces to untrusted networks
- Review and restrict access to virtual machine interfaces using TUN/TAP devices
- Consider disabling console output in production environments where not required for operations
- Apply defense-in-depth strategies per ICS-CERT recommended practices for industrial control systems
Evidence notes
CVE published 2025-08-12; modified 2026-02-25. Source advisory ICSA-25-226-15 from CISA CSAF, based on Siemens ProductCERT SSA-613116. Advisory revision history shows multiple updates through February 2026, with the latest republication on 2026-02-25 incorporating corrections to affected products list and removal of rejected CVEs.
Official resources
-
CVE-2024-27013 CVE record
CVE.org
-
CVE-2024-27013 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12