PatchSiren cyber security CVE debrief
CVE-2024-36489 Siemens CVE debrief
A missing write memory barrier in the Linux kernel's TLS (Transport Layer Security) subsystem initialization function `tls_init()` can lead to NULL pointer dereference vulnerabilities. Under specific store-store reordering conditions on affected processors, this memory ordering bug may cause `tls_setsockopt()` or `tls_getsockopt()` to dereference a NULL pointer, resulting in local denial of service. The vulnerability requires local access with low privileges and no user interaction. Siemens has identified this issue as affecting certain industrial networking products running SINEC OS, including RUGGEDCOM RST2428P and SCALANCE X-family switches. The CVSS 3.1 score of 5.5 (MEDIUM) reflects the local attack vector and high availability impact with no confidentiality or integrity impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Operators of industrial control systems and OT networks using affected Siemens RUGGEDCOM and SCALANCE devices; security teams responsible for firmware lifecycle management in critical infrastructure environments; kernel maintainers and embedded Linux developers working with TLS offload or in-kernel TLS implementations
Technical summary
The vulnerability exists in the kernel's TLS socket option handling code. The `tls_init()` function initializes TLS context structures but lacks a write memory barrier (`smp_wmb()` or equivalent) to ensure proper ordering of memory stores. On architectures with weak memory ordering (such as ARM64 or certain x86 implementations under specific conditions), the CPU or compiler may reorder stores such that `tls_setsockopt()` or `tls_getsockopt()` observe a partially initialized structure. Specifically, a pointer field may be observed as non-NULL before the pointed-to object is fully initialized, or conversely, a NULL pointer may be dereferenced when the initialization order is violated. The resulting NULL pointer dereference triggers an oops or panic, causing denial of service. The attack requires local access to create or manipulate TLS sockets, with low privileges sufficient to invoke the affected sockopt interfaces.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to SINEC OS V3.1 or later for affected Siemens industrial networking products
- Verify current firmware version on RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
- Review network segmentation to limit local access to industrial control system devices
- Monitor for anomalous process crashes or kernel panics on affected systems that could indicate exploitation attempts
- Consult Siemens ProductCERT advisory SSA-613116 for detailed patch availability and installation guidance
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-15, which republishes Siemens ProductCERT advisory SSA-613116. The advisory was initially published on 2025-08-12 and most recently updated on 2026-02-25 to reflect corrections to the affected products list and removal of rejected CVEs. The root cause is a missing memory barrier in kernel TLS initialization code, a class of bug well-documented in concurrent programming literature where compiler or CPU reordering of memory operations can lead to observable inconsistent state.
Official resources
-
CVE-2024-36489 CVE record
CVE.org
-
CVE-2024-36489 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12