PatchSiren cyber security CVE debrief
CVE-2024-27038 Siemens CVE debrief
CVE-2024-27038 is a NULL pointer dereference vulnerability in the Linux kernel's clock framework, specifically within the `clk_core_get()` function. The flaw exists because `__clk_get_hw()` can return NULL, which is then dereferenced by `clk_core_get()` at `hw->core` without proper validation. This regression was introduced when commit dde4eff47c82 (clk: Look for parents with clkdev based clk_lookups) removed the prior `IS_ERR_OR_NULL()` check that would have caught the NULL condition. The vulnerability affects Siemens SIMATIC S7-1500 TM MFP industrial control systems through their GNU/Linux subsystem. With a CVSS 3.1 score of 7.5 (HIGH), the vulnerability is network-accessible with low attack complexity, requiring no privileges or user interaction, and results in high availability impact through denial of service. No patch is currently available from Siemens as of the source advisory's last update.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security teams, Siemens SIMATIC S7-1500 TM MFP administrators, critical infrastructure security personnel, and organizations with deployed GNU/Linux-based industrial automation systems should prioritize awareness of this vulnerability due to its network accessibility and high availability impact in operational technology environments.
Technical summary
The vulnerability resides in the Linux kernel clock (clk) subsystem. The function `clk_core_get()` calls `of_clk_get_hw_from_clkspec()`, which in turn calls `__of_clk_get_hw_from_provider()` and `__clk_get_hw()`. The `__clk_get_hw()` function can legitimately return NULL, but `clk_core_get()` dereferences this return value at `hw->core` without NULL checking. Prior to kernel commit dde4eff47c82, an `IS_ERR_OR_NULL()` check prevented this dereference; its removal created the vulnerability. The fix requires adding a NULL check before dereferencing `hw` and returning NULL if `hw` is NULL, consistent with the function's documented behavior.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided security updates when available from Siemens
- Restrict access to the GNU/Linux subsystem interactive shell to trusted personnel only
- Implement application whitelisting to ensure only trusted applications are built and executed
- Monitor for anomalous system crashes or availability issues in affected industrial control systems
- Segment OT networks to limit exposure of affected devices to untrusted networks
- Follow CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
Vulnerability confirmed through CISA ICS advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. The technical root cause is documented in the CVE description: removal of IS_ERR_OR_NULL() check in commit dde4eff47c82 enabled NULL dereference in clk_core_get() when __clk_get_hw() returns NULL. Siemens product impact confirmed through CSAF product tree with high confidence.
Official resources
-
CVE-2024-27038 CVE record
CVE.org
-
CVE-2024-27038 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09