PatchSiren cyber security CVE debrief
CVE-2024-50153 Siemens CVE debrief
A null pointer dereference vulnerability exists in the Linux kernel's SCSI target core subsystem. The flaw occurs in target_alloc_device() when memory allocation for device queues fails. At this point, the code attempts to free the device structure using dev->transport->free_device(), but dev->transport has not yet been initialized, resulting in a null pointer dereference. The vulnerability was resolved by modifying the error path to use hba->backend->ops->free_device() instead. This issue affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that utilize the GNU/Linux subsystem. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM severity) with a local attack vector, low attack complexity, and low privileges required, with high availability impact. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators using Siemens SIMATIC S7-1500 TM MFP with GNU/Linux subsystems, Linux kernel maintainers for SCSI target configurations, and organizations running iSCSI or FC target mode on affected kernel versions
Technical summary
The vulnerability exists in drivers/target/target_core_device.c in the Linux kernel SCSI target subsystem. During device allocation in target_alloc_device(), if kzalloc() fails for dev->queues, the error handling path calls dev->transport->free_device(dev). However, dev->transport is assigned later in the function, leaving it NULL at this point. The fix relocates the free_device() call to use the backend operations through hba->backend->ops->free_device(), which is available at the time of failure. This is a classic initialization order bug where cleanup code assumes state that hasn't been established.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates when available per Siemens security advisory SSA-265688
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Implement application whitelisting to ensure only trusted applications are built and executed
- Monitor for anomalous system behavior or crashes in SCSI target configurations
- Follow CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
The vulnerability description is derived from the CISA CSAF advisory ICSA-24-102-01, which references the Linux kernel fix. The KASAN report indicates the null pointer dereference occurs at offset 0xbc4 in target_alloc_device(). The root cause is an uninitialized dev->transport pointer being dereferenced during error handling. Siemens has confirmed this affects the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP devices.
Official resources
-
CVE-2024-50153 CVE record
CVE.org
-
CVE-2024-50153 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09