CVE-2024-38627 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. System administrators maintaining Linux systems with STM class subsystem enabled. Industrial control system operators following CISA guidance for critical infrastructure protection.

Technical summary

The vulnerability is a classic double-free bug in the Linux kernel's System Trace Module (STM) class implementation. In `stm_register_device()`, when device registration fails, `put_device(&stm->dev)` is called, which decrements the reference count and triggers `stm_device_release()`. This release callback performs `kfree(stm)`, freeing the memory. However, the error handling path then executes `vfree(stm)`, attempting to free the same memory again. This use-after-free scenario can lead to memory corruption, potential kernel crashes, or exploitable conditions depending on heap state. The fix removes the redundant `vfree(stm)` call, relying solely on the device release mechanism for cleanup.

Defensive priority

medium

Recommended defensive actions

• Update affected Siemens SINEC OS devices to version 3.1 or later
• Review and apply vendor security advisories for SCALANCE and RUGGEDCOM product families
• Implement network segmentation for industrial control systems per CISA recommended practices
• Monitor for kernel updates from Linux distribution maintainers for non-Siemens systems using STM class subsystem

Evidence notes

The vulnerability description is derived from the Linux kernel commit message resolving the double-free in stm_register_device(). Siemens ProductCERT advisory SSA-613116 and CISA advisory ICSA-25-226-15 confirm affected products and remediation. The CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N indicates network attack vector with high complexity, no confidentiality or integrity impact, and no availability impact, resulting in a NONE severity score.

Official resources