CVE-2024-38579 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P switches. OT security teams, ICS asset owners, and critical infrastructure operators utilizing SINEC OS-based devices should prioritize patching to V3.1 or later.

Technical summary

The vulnerability resides in `spu2_dump_omd()` within the Broadcom SPU2 crypto driver. The function incorrectly calculates pointer advancement using `ciph_key_len` rather than `hash_iv_len` when processing authentication data. This miscalculation can cause the pointer to exceed allocated buffer boundaries, resulting in undefined behavior and potential kernel crash (local denial of service). The vulnerability requires local access with low privileges, limiting exploitability in properly segmented industrial networks.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided updates to SINEC OS V3.1 or later for affected SCALANCE and RUGGEDCOM products
• Review and implement CISA ICS recommended practices for defense-in-depth strategies
• Monitor Siemens ProductCERT advisory SSA-613116 for additional updates or clarifications
• For products where patching is not immediately feasible, apply network segmentation and access controls to limit local attack vector exposure

Evidence notes

The vulnerability description indicates a classic pointer arithmetic error in kernel crypto code. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with low attack complexity, requiring low privileges, with no user interaction, resulting in high availability impact but no confidentiality or integrity impact. This suggests a local denial-of-service condition rather than remote code execution.

Official resources