PatchSiren cyber security CVE debrief
CVE-2024-38567 Siemens CVE debrief
CVE-2024-38567 is a medium-severity vulnerability (CVSS 5.5) affecting the carl9170 Wi-Fi driver in the Linux kernel, specifically impacting Siemens SIMATIC S7-1500 TM MFP industrial control systems through their GNU/Linux subsystem. The vulnerability stems from insufficient input validation when handling USB Request Block (URB) submissions, where improper endpoint type checking could trigger kernel warnings and potentially lead to denial-of-service conditions. The flaw was discovered through Syzkaller fuzzing, which identified that while the driver checked a specific fourth endpoint (which can switch between bulk and interrupt types), other endpoints were implicitly trusted without proper validation. This weakness in the USB endpoint sanity checking mechanism could allow an attacker with local access and low privileges to cause system instability or crashes. The vulnerability was published on April 9, 2024, and remains unpatched as of the last advisory update on May 14, 2026. CISA and Siemens have issued multiple advisory updates tracking this and related vulnerabilities, with the most recent expansion in September 2025 adding 51 additional CVEs to the advisory. Given the industrial control system context, organizations should implement strict access controls and defense-in-depth strategies while awaiting a permanent fix.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled, OT security teams managing industrial Wi-Fi deployments, and infrastructure operators relying on carl9170-based wireless connectivity in critical environments
Technical summary
The carl9170 driver in the Linux kernel fails to properly validate USB endpoint types during URB submission. While the driver includes a check for a specific fourth endpoint that can switch between bulk and interrupt types, other endpoints are implicitly trusted without adequate sanity checking. This validation gap, discovered through Syzkaller fuzzing, can trigger kernel warnings and potentially cause denial-of-service conditions when malformed or unexpected endpoint configurations are processed.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem on affected Siemens SIMATIC S7-1500 TM MFP devices to trusted personnel only
- Implement application whitelisting to ensure only trusted, verified applications are built and executed on the GNU/Linux subsystem
- Apply defense-in-depth strategies including network segmentation for industrial control systems per CISA ICS recommended practices
- Monitor for kernel warnings or system instability that may indicate exploitation attempts against the carl9170 driver
- Await security updates from Siemens for a permanent patch; subscribe to Siemens ProductCERT and CISA ICS advisories for notification when fixes become available
Evidence notes
Vulnerability description derived from CISA CSAF advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. The carl9170 driver issue was identified through Syzkaller automated fuzzing. CVSS vector confirms local attack vector with low attack complexity and low privileges required, resulting in high availability impact. Multiple advisory revisions tracked through 2025 indicate ongoing monitoring of related kernel vulnerabilities in the Siemens product line.
Official resources
-
CVE-2024-38567 CVE record
CVE.org
-
CVE-2024-38567 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09