CVE-2024-38633 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P and SCALANCE X-family switches running SINEC OS, as well as any systems utilizing the Linux MAX3100 serial driver in kernel versions prior to the fix.

Technical summary

The MAX3100 SPI UART driver in the Linux kernel fails to update its global uart_driver_registered state variable upon driver removal. When the last MAX3100 device is removed, the driver unregisters but leaves the variable set. On subsequent driver reload (insmod), the probe function detects the stale state and skips UART driver registration, yet proceeds to register ports. This causes a NULL pointer dereference in serial_core_register_port when accessing the uninitialized uart_driver structure. The vulnerability also affects error paths in probe where premature variable assignment could leave inconsistent state. The resolution moves the uart_driver_registered assignment to occur only after successful uart_register_driver() completion, ensuring state consistency across driver lifecycle events.

Defensive priority

medium

Recommended defensive actions

• Apply vendor fix: Update affected Siemens SINEC OS products to V3.1 or later version
• Review kernel driver state management in custom MAX3100 implementations
• Monitor for kernel oops messages related to serial_core_register_port or max3100_probe
• Implement defense-in-depth controls per CISA ICS recommended practices for industrial control systems

Evidence notes

The vulnerability exists in the max3100 driver where uart_driver_registered is not cleared when the last device is removed. After an insmod-rmmod-insmod cycle, the probe function attempts to use stale state, triggering a NULL pointer dereference at serial_core_register_port+0xa0. The fix moves the variable assignment to occur only after successful uart_register_driver() completion.

Official resources