PatchSiren cyber security CVE debrief
CVE-2024-56739 Siemens CVE debrief
A vulnerability in the Linux kernel's Real-Time Clock (RTC) subsystem affects Siemens industrial networking products. When the `__rtc_read_time` function fails, the `rtc_timer_do_work()` function does not validate the return value, leaving the `struct rtc_time tm` variable potentially uninitialized or containing invalid data from RTC hardware. Subsequent conversion via `rtc_tm_to_ktime()` can produce an extremely large time value (potentially `KTIME_MAX`). If periodic timers exist in `rtc->timerqueue`, they will continuously expire, potentially causing a kernel softlockup and denial of service. The vulnerability requires local access with low privileges and has been addressed in kernel updates. Siemens has released firmware updates for affected RUGGEDCOM and SCALANCE product families.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE XC/XR/XCM/XRM/XCH/XRH industrial Ethernet switches in critical infrastructure environments, particularly those relying on SINEC OS for network management. System administrators responsible for maintaining availability of industrial control systems and OT networks should prioritize patching during maintenance windows.
Technical summary
The vulnerability exists in `drivers/rtc/rtc-dev.c` in the `rtc_timer_do_work()` function. The function calls `__rtc_read_time()` to populate a `struct rtc_time tm` variable but does not check the return value for failure. When `__rtc_read_time()` fails, `tm` may contain stack garbage or invalid RTC hardware values. The subsequent `rtc_tm_to_ktime(tm)` conversion can yield `KTIME_MAX` or similar extreme values. With periodic timers queued in `rtc->timerqueue`, the timer subsystem will continuously process expirations, consuming CPU and potentially triggering a softlockup watchdog. The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact.
Defensive priority
medium
Recommended defensive actions
- Apply vendor firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to version 3.2 or later per Siemens guidance
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and available updates
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
- Monitor for kernel softlockup indicators including unresponsive system behavior or high CPU utilization in timer-related kernel threads
- Restrict local access to affected devices to authorized personnel only
- Review and apply Siemens security advisories for SINEC OS third-party component updates regularly
Evidence notes
CVE published 2025-08-12 per CISA CSAF advisory ICSA-25-226-07. Advisory modified 2026-02-25 with republication based on Siemens ProductCERT SSA-355557. CVSS 5.5 (MEDIUM) per source. Affects Siemens RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families running SINEC OS.
Official resources
-
CVE-2024-56739 CVE record
CVE.org
-
CVE-2024-56739 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12