#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(503766);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/12");
script_cve_id("CVE-2024-47684");
script_xref(name:"ICSA", value:"25-226-07");
script_name(english:"Siemens SIMATIC, SCALANCE and RUGGEDCOM Devices NULL Pointer Dereference (CVE-2024-47684)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"In the Linux kernel, the following vulnerability has been resolved:
tcp: check skb is non-NULL in tcp_rto_delta_us() We have some
machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
kernel that are running ceph and recently hit a null ptr dereference
in tcp_rearm_rto(). Initially hitting it from the TLP path, but then
later we also saw it getting hit from the RACK case as well. Here are
examples of the oops messages we saw in each of those cases: Jul
26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference,
address: 0000000000000020 Jul 26 15:05:02 rx [11061395.787572] #PF:
supervisor read access in kernel mode Jul 26 15:05:02 rx
[11061395.792971] #PF: error_code(0x0000) - not-present page Jul 26
15:05:02 rx [11061395.798362] PGD 0 P4D 0 Jul 26 15:05:02 rx
[11061395.801164] Oops: 0000 [#1] SMP NOPTI Jul 26 15:05:02 rx
[11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W
5.4.0-174-generic #193-Ubuntu Jul 26 15:05:02 rx [11061395.814996]
Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR,
BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 Jul 26 15:05:02 rx
[11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02
rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3
49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef
e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00
00 48 f7 e3 Jul 26 15:05:02 rx [11061395.849665] RSP:
0018:ffffb75d40003e08 EFLAGS: 00010246 Jul 26 15:05:02 rx
[11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX:
0000000000000000 Jul 26 15:05:02 rx [11061395.862542] RDX:
0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 Jul 26
15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08:
0000000000000000 R09: ffff987605e20aa8 Jul 26 15:05:02 rx
[11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12:
ffff9874ad283900 Jul 26 15:05:02 rx [11061395.884710] R13:
ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 Jul 26
15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000)
GS:ffff987605e00000(0000) knlGS:0000000000000000 Jul 26 15:05:02 rx
[11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3:
0000003e450ba003 CR4: 0000000000760ef0 Jul 26 15:05:02 rx
[11061395.913822] PKRU: 55555554 Jul 26 15:05:02 rx [11061395.916786]
Call Trace: Jul 26 15:05:02 rx [11061395.919488] Jul 26 15:05:02 rx
[11061395.921765] ? show_regs.cold+0x1a/0x1f Jul 26 15:05:02 rx
[11061395.925859] ? __die+0x90/0xd9 Jul 26 15:05:02 rx
[11061395.929169] ? no_context+0x196/0x380 Jul 26 15:05:02 rx
[11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 Jul 26
15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50 Jul
26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140 Jul
26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90 Jul 26
15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0 Jul 26
15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40 Jul 26 15:05:02
rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx
[11061395.977313] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx
[11061395.981408] tcp_send_loss_probe+0x10b/0x220 Jul 26 15:05:02 rx
[11061395.985937] tcp_write_timer_handler+0x1b4/0x240 Jul 26 15:05:02
rx [11061395.990809] tcp_write_timer+0x9e/0xe0 Jul 26 15:05:02 rx
[11061395.994814] ? tcp_write_timer_handler+0x240/0x240 Jul 26
15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130 Jul 26
15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280 Jul 26
15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10 Jul 26
15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30 Jul
26 15:05:02 rx [11061396.017718] ? lapic_next_even ---truncated---
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-398330.html");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-265688.html");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-355557.html");
script_set_attribute(attribute:"see_also", value:"https://support.industry.siemens.com/cs/ww/en/view/109478459/");
script_set_attribute(attribute:"see_also", value:"https://support.industry.siemens.com/cs/ww/en/view/109988839/");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/ICSA-25-226-07");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
- All affected products: Update to V3.2 or later version
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To
operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens'
operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-355557 in HTML and CSAF.");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-47684");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_cwe_id(476);
script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/12");
script_set_attribute(attribute:"patch_publication_date", value:"2023/12/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/29");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:ruggedcom_rst2428p_firmware:3.2");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xc-300_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr-300_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xc-400_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr-500wg_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr-500_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xcm-300_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xrm-300_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xch-300_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xrh-300_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_tm_mfp_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.5");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5" :
{"versionEndExcluding" : "3.1.5", "versionStartIncluding" : "3.1.0", "family" : "S71500", "orderNumbers" : ['6ES7518-4FX00-1AB0', '6ES7518-4AX00-1AB0', '6ES7518-4FX00-1AC0', '6ES7518-4AX00-1AC0']},
"cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.5" :
{"versionEndExcluding" : "3.1.5", "versionStartIncluding" : "3.1.0", "family" : "S71500", "orderNumbers" : ['6AG1518-4AX00-4AC0']},
"cpe:/o:siemens:simatic_s7-1500_tm_mfp_firmware" :
{"versionEndIncluding" : "1.1", "versionStartIncluding" : "1.1", "family" : "S71500", "orderNumbers": ["6ES7558-1AA00-0AB0"]},
"cpe:/o:siemens:ruggedcom_rst2428p_firmware:3.2" :
{"versionEndExcluding" : "3.2", "family" : "RuggedCom", "orderNumbers" : ['6GK6242-6PA00']},
"cpe:/o:siemens:scalance_xc-300_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
"cpe:/o:siemens:scalance_xr-300_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
"cpe:/o:siemens:scalance_xc-400_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX400"},
"cpe:/o:siemens:scalance_xr-500wg_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX500"},
"cpe:/o:siemens:scalance_xr-500_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX500"},
"cpe:/o:siemens:scalance_xcm-300_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
"cpe:/o:siemens:scalance_xrm-300_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
"cpe:/o:siemens:scalance_xch-300_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
"cpe:/o:siemens:scalance_xrh-300_series_firmware" :
{"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation