PatchSiren cyber security CVE debrief
CVE-2024-47684 Siemens CVE debrief
A NULL pointer dereference vulnerability exists in the Linux kernel's TCP stack within the tcp_rto_delta_us() function. The flaw occurs when tcp_rearm_rto() is invoked with a NULL socket buffer (skb), leading to a kernel crash. This vulnerability was observed in production environments running Ubuntu 20.04.6 with kernel 5.4.0-174-generic, particularly affecting Ceph storage workloads. The crash manifests through multiple code paths including TCP Tail Loss Probe (TLP) and RACK (Recent ACK) loss recovery mechanisms. Siemens has identified affected industrial networking products that incorporate vulnerable Linux kernel versions.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH series devices. System administrators managing Linux-based storage clusters, particularly Ceph deployments on Ubuntu 20.04 LTS with affected kernel versions. Industrial control system operators requiring high availability for TCP-based communications.
Technical summary
The vulnerability stems from a missing NULL check in tcp_rto_delta_us() when processing TCP retransmission timeout calculations. The function tcp_rearm_rto() can be called with a NULL skb parameter through multiple execution paths, including TCP Tail Loss Probe (TLP) and RACK loss recovery. When tcp_rto_delta_us() attempts to dereference the skb without validation, it triggers a kernel NULL pointer dereference. The crash occurs in supervisor mode during kernel TCP timer processing, resulting in system instability. The fix adds an explicit NULL check before skb access.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and update paths
- Implement network segmentation for industrial control systems to limit exposure of affected devices
- Monitor kernel logs for NULL pointer dereference errors in tcp_rearm_rto as potential indicators of exploitation attempts
- Prioritize patching on systems running Ceph or other high-throughput TCP workloads that may trigger the vulnerable code paths
Evidence notes
The vulnerability description includes kernel oops logs showing a NULL pointer dereference at address 0x0000000000000020 with RIP pointing to tcp_rearm_rto+0xe4/0x160. The crash was reproduced through both TLP (tcp_send_loss_probe) and RACK code paths. The fix involves adding a NULL check for skb in tcp_rto_delta_us().
Official resources
-
CVE-2024-47684 CVE record
CVE.org
-
CVE-2024-47684 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12