PatchSiren cyber security CVE debrief
CVE-2024-27047 Siemens CVE debrief
A NULL pointer dereference vulnerability exists in the Linux kernel's network PHY subsystem. The `phy_get_internal_delay` function may attempt to access an empty array when a driver calls it without defining `delay_values` while `rx-internal-delay-ps` or `tx-internal-delay-ps` is set to 0 in the device tree. This condition triggers a kernel panic with the message 'unable to handle kernel NULL pointer dereference at virtual address 0'. The vulnerability affects Siemens SIMATIC S7-1500 TM MFP industrial control systems through their GNU/Linux subsystem. The issue was published on April 9, 2024, and the advisory has been updated multiple times through September 2025 to include additional related CVEs. No patch is currently available from the vendor.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security teams, and asset owners deploying Siemens SIMATIC S7-1500 TM MFP systems should prioritize this vulnerability. The kernel-level crash could disrupt critical manufacturing processes, safety systems, or infrastructure operations dependent on these controllers. System integrators and maintenance personnel with shell access to the GNU/Linux subsystem represent a key insider threat vector. Organizations subject to NERC CIP, IEC 62443, or similar OT security frameworks should incorporate this into their vulnerability management programs given the lack of available patches.
Technical summary
The vulnerability resides in the Linux kernel's network PHY (physical layer) driver subsystem, specifically in the `phy_get_internal_delay` function. When this function is invoked without a defined `delay_values` array, and the device tree specifies `rx-internal-delay-ps` or `tx-internal-delay-ps` as 0, the code attempts to index into an empty or uninitialized array. This results in a NULL pointer dereference that crashes the kernel. The issue is classified under CWE-20 (Improper Input Validation). The affected product is the GNU/Linux subsystem within Siemens SIMATIC S7-1500 TM MFP programmable logic controllers, which are used in industrial automation environments. The local attack vector suggests that an attacker with the ability to influence device tree configuration or load malicious kernel modules could trigger the denial-of-service condition.
Defensive priority
medium
Recommended defensive actions
- Restrict access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for kernel panic events indicating NULL pointer dereference at virtual address 0
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Subscribe to Siemens security advisories for patch availability updates
Evidence notes
The vulnerability description is derived from the CISA CSAF advisory ICSA-24-102-01, which references Siemens security advisory SSA-265688. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates a local attack vector with low attack complexity, no privileges required, and high availability impact. The advisory explicitly states 'Currently no fix is available' as of the last modification date.
Official resources
-
CVE-2024-27047 CVE record
CVE.org
-
CVE-2024-27047 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09