PatchSiren cyber security CVE debrief
CVE-2024-44990 Siemens CVE debrief
CVE-2024-44990 is a null pointer dereference vulnerability in the Linux kernel's bonding driver, specifically within the `bond_ipsec_offload_ok` function. The flaw occurs when the function dereferences a pointer without first verifying that an active slave exists in the bonding configuration. This vulnerability was resolved by adding a check for an active slave before pointer dereference. The issue affects Siemens industrial networking products that incorporate the vulnerable Linux kernel component, including RUGGEDCOM RST2428P and SCALANCE switch families. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM severity), with a local attack vector requiring low privileges and no user interaction, potentially leading to high availability impact through denial of service.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking infrastructure, particularly those utilizing IPsec with link aggregation/bonding configurations. Critical infrastructure operators, manufacturing facilities, and utility providers deploying affected RUGGEDCOM and SCALANCE devices should prioritize assessment and patching. Security teams responsible for OT/ICS environments should evaluate exposure and implement compensating controls where immediate patching is not feasible.
Technical summary
The vulnerability exists in the `bond_ipsec_offload_ok` function of the Linux kernel bonding driver. When processing IPsec offload operations, the function fails to verify that an active slave is present before dereferencing a pointer, leading to a null pointer dereference. This condition can be triggered in bonding configurations where no active slave exists, potentially causing a kernel crash or denial of service. The fix implements a null check for the active slave before pointer dereference. Affected Siemens products include RUGGEDCOM RST2428P (6GK6242-6PA00), SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family when running vulnerable firmware versions.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE products per Siemens ProductCERT guidance
- Review network segmentation for affected industrial control systems to limit local access
- Monitor for anomalous behavior in IPsec-enabled bonding configurations on affected devices
- Consult Siemens support portal for product-specific patch availability and deployment guidance
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
Evidence notes
The vulnerability description indicates this is a null pointer dereference in the Linux kernel bonding driver's IPsec offload functionality. The fix requires checking for an active slave before dereferencing the pointer. Siemens ProductCERT advisory SSA-355557 and CISA ICSA-25-226-07 document affected products and remediation. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms local attack vector with availability impact.
Official resources
-
CVE-2024-44990 CVE record
CVE.org
-
CVE-2024-44990 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12