PatchSiren cyber security CVE debrief
CVE-2024-27059 Siemens CVE debrief
A divide-by-zero vulnerability exists in the Linux kernel's USB storage subsystem, specifically within the isd200 sub-driver. The flaw occurs when the driver uses ATA ID information (HEADS and SECTORS values) to calculate cylinder and head values for READ/WRITE command block descriptors. If either value is zero, the division and modulus operations trigger a kernel crash. While genuine hardware would not present zero values, malicious or flawed device emulation could exploit this condition. The vulnerability was discovered through syzbot fuzzing. The fix involves validating ATA_ID_HEADS and ATA_ID_SECTORS during device initialization, refusing to bind if either is zero, and correcting isd200_Initialization() to return proper error codes rather than always returning 0.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with GNU/Linux subsystems, as well as any Linux systems utilizing USB mass storage with isd200-compatible devices. System administrators responsible for kernel security and industrial control system operators should prioritize monitoring and access controls until patches are available.
Technical summary
The isd200_ata_command function in drivers/usb/storage/isd200.c performs division and modulus operations using ATA_ID_HEADS and ATA_ID_SECTORS values from device identification data without validation. When creating CDBs for READ/WRITE operations, zero values in these fields cause a divide-by-zero exception. The vulnerability is exploitable locally through connection of a malicious USB mass storage device or emulator presenting crafted ATA ID information. The fix adds validation in isd200_Initialization() to reject devices with zero HEADS or SECTORS values and ensures proper error code propagation.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided kernel updates when available for affected Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystems
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and execute only applications from trusted sources on affected systems
- Monitor for anomalous USB storage device connections that may indicate attempted exploitation
- Review kernel logs for isd200 driver initialization failures as potential indicators of probing activity
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-24-102-01, which references the Linux kernel fix. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with low attack complexity, requiring low privileges and resulting in high availability impact. Siemens has identified this as affecting the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP industrial control products.
Official resources
-
CVE-2024-27059 CVE record
CVE.org
-
CVE-2024-27059 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09