Lucene search
+L

Siemens SIMATIC, SCALANCE and RUGGEDCOM Devices NULL Pointer Dereference (CVE-2024-47684)

🗓️ 29 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Linux kernel TCP null pointer dereference in tcp_rearm_rto on Siemens devices CVE-2024-47684.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(503766);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/12");

  script_cve_id("CVE-2024-47684");
  script_xref(name:"ICSA", value:"25-226-07");

  script_name(english:"Siemens SIMATIC, SCALANCE and RUGGEDCOM Devices NULL Pointer Dereference (CVE-2024-47684)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"In the Linux kernel, the following vulnerability has been resolved:
tcp: check skb is non-NULL in tcp_rto_delta_us()    We have some
machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
kernel that are running ceph and recently hit a null ptr dereference
in  tcp_rearm_rto(). Initially hitting it from the TLP path, but then
later we also  saw it getting hit from the RACK case as well. Here are
examples of the oops  messages we saw in each of those cases:    Jul
26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference,
address: 0000000000000020  Jul 26 15:05:02 rx [11061395.787572] #PF:
supervisor read access in kernel mode  Jul 26 15:05:02 rx
[11061395.792971] #PF: error_code(0x0000) - not-present page  Jul 26
15:05:02 rx [11061395.798362] PGD 0 P4D 0  Jul 26 15:05:02 rx
[11061395.801164] Oops: 0000 [#1] SMP NOPTI  Jul 26 15:05:02 rx
[11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W
5.4.0-174-generic #193-Ubuntu  Jul 26 15:05:02 rx [11061395.814996]
Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR,
BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023  Jul 26 15:05:02 rx
[11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160  Jul 26 15:05:02
rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3
49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef
e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00
00 48 f7 e3  Jul 26 15:05:02 rx [11061395.849665] RSP:
0018:ffffb75d40003e08 EFLAGS: 00010246  Jul 26 15:05:02 rx
[11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX:
0000000000000000  Jul 26 15:05:02 rx [11061395.862542] RDX:
0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60  Jul 26
15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08:
0000000000000000 R09: ffff987605e20aa8  Jul 26 15:05:02 rx
[11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12:
ffff9874ad283900  Jul 26 15:05:02 rx [11061395.884710] R13:
ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30  Jul 26
15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000)
GS:ffff987605e00000(0000) knlGS:0000000000000000  Jul 26 15:05:02 rx
[11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3:
0000003e450ba003 CR4: 0000000000760ef0  Jul 26 15:05:02 rx
[11061395.913822] PKRU: 55555554  Jul 26 15:05:02 rx [11061395.916786]
Call Trace:  Jul 26 15:05:02 rx [11061395.919488]  Jul 26 15:05:02 rx
[11061395.921765] ? show_regs.cold+0x1a/0x1f  Jul 26 15:05:02 rx
[11061395.925859] ? __die+0x90/0xd9  Jul 26 15:05:02 rx
[11061395.929169] ? no_context+0x196/0x380  Jul 26 15:05:02 rx
[11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0  Jul 26
15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50  Jul
26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140  Jul
26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90  Jul 26
15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0  Jul 26
15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40  Jul 26 15:05:02
rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160  Jul 26 15:05:02 rx
[11061395.977313] ? tcp_rearm_rto+0xe4/0x160  Jul 26 15:05:02 rx
[11061395.981408] tcp_send_loss_probe+0x10b/0x220  Jul 26 15:05:02 rx
[11061395.985937] tcp_write_timer_handler+0x1b4/0x240  Jul 26 15:05:02
rx [11061395.990809] tcp_write_timer+0x9e/0xe0  Jul 26 15:05:02 rx
[11061395.994814] ? tcp_write_timer_handler+0x240/0x240  Jul 26
15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130  Jul 26
15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280  Jul 26
15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10  Jul 26
15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30  Jul
26 15:05:02 rx [11061396.017718] ? lapic_next_even  ---truncated---

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-398330.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-265688.html");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-355557.html");
  script_set_attribute(attribute:"see_also", value:"https://support.industry.siemens.com/cs/ww/en/view/109478459/");
  script_set_attribute(attribute:"see_also", value:"https://support.industry.siemens.com/cs/ww/en/view/109988839/");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/ICSA-25-226-07");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

- All affected products: Update to V3.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To
operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens'
operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-355557 in HTML and CSAF.");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-47684");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(476);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/12/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:ruggedcom_rst2428p_firmware:3.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xc-300_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr-300_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xc-400_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr-500wg_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xr-500_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xcm-300_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xrm-300_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xch-300_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_xrh-300_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_tm_mfp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.5");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}

include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5" :
        {"versionEndExcluding" : "3.1.5", "versionStartIncluding" : "3.1.0", "family" : "S71500", "orderNumbers" : ['6ES7518-4FX00-1AB0', '6ES7518-4AX00-1AB0', '6ES7518-4FX00-1AC0', '6ES7518-4AX00-1AC0']},
    "cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.5" :
        {"versionEndExcluding" : "3.1.5", "versionStartIncluding" : "3.1.0", "family" : "S71500", "orderNumbers" : ['6AG1518-4AX00-4AC0']},
    "cpe:/o:siemens:simatic_s7-1500_tm_mfp_firmware" :
        {"versionEndIncluding" : "1.1", "versionStartIncluding" : "1.1", "family" : "S71500", "orderNumbers": ["6ES7558-1AA00-0AB0"]},
    "cpe:/o:siemens:ruggedcom_rst2428p_firmware:3.2" :
        {"versionEndExcluding" : "3.2", "family" : "RuggedCom", "orderNumbers" : ['6GK6242-6PA00']},
    "cpe:/o:siemens:scalance_xc-300_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
    "cpe:/o:siemens:scalance_xr-300_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
    "cpe:/o:siemens:scalance_xc-400_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX400"},
    "cpe:/o:siemens:scalance_xr-500wg_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX500"},
    "cpe:/o:siemens:scalance_xr-500_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX500"},
    "cpe:/o:siemens:scalance_xcm-300_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
    "cpe:/o:siemens:scalance_xrm-300_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
    "cpe:/o:siemens:scalance_xch-300_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"},
    "cpe:/o:siemens:scalance_xrh-300_series_firmware" :
        {"versionEndExcluding" : "3.2", "family" : "SCALANCEX300"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Feb 2026 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 3.15.5
EPSS0.00277
SSVC
3