PatchSiren cyber security CVE debrief
CVE-2023-46809 NodeJS CVE debrief
CVE-2023-46809 is a HIGH severity vulnerability (CVSS 7.4) affecting Node.js applications that use unpatched OpenSSL versions for RSA decryption with PKCS #1 v1.5 padding. The vulnerability exposes systems to the Marvin Attack, a timing side-channel attack that can recover private RSA keys. Siemens SINEC INS is affected through its Node.js dependency chain. CISA published advisory ICSA-24-319-08 on November 12, 2024, confirming this vulnerability in industrial control system environments. The attack requires network access and high attack complexity but needs no privileges or user interaction, making it particularly dangerous for exposed services. Successful exploitation enables confidentiality and integrity breaches without availability impact.
- Vendor
- NodeJS
- Product
- SINEC INS
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations running Siemens SINEC INS for industrial network management, operators of Node.js-based services performing RSA decryption, ICS/OT security teams managing cryptographic implementations, and security architects responsible for PKI and encryption infrastructure in industrial environments.
Technical summary
The Marvin Attack (CVE-2023-46809) is a timing side-channel vulnerability in RSA decryption implementations using PKCS #1 v1.5 padding. When Node.js applications use unpatched OpenSSL versions—either bundled or dynamically linked—the decryption operation leaks timing information that can be exploited to recover private keys. The vulnerability has CVSS 3.1 score 7.4 (HIGH) with network attack vector, high attack complexity, and no required privileges or user interaction. Impact is rated HIGH for confidentiality and integrity, with no availability impact. Siemens SINEC INS industrial network management software is affected, with remediation available through vendor update to V1.0 SP2 Update 3 or later.
Defensive priority
HIGH
Recommended defensive actions
- Apply Siemens vendor fix: Update SINEC INS to V1.0 SP2 Update 3 or later version
- Verify Node.js runtime and OpenSSL versions are patched against Marvin Attack (CVE-2023-46809)
- Disable PKCS #1 v1.5 padding for RSA decryption where alternative padding schemes (OAEP) are supported
- Implement network segmentation to limit exposure of RSA decryption services
- Monitor for anomalous timing patterns in cryptographic operations that may indicate side-channel exploitation attempts
- Review CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
Evidence notes
CISA CSAF advisory ICSA-24-319-08 published 2024-11-12 identifies Siemens SINEC INS as affected. The vulnerability stems from Node.js bundling or dynamically linking unpatched OpenSSL versions. CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N confirms network-based attack with high complexity but no required privileges or user interaction.
Official resources
-
CVE-2023-46809 CVE record
CVE.org
-
CVE-2023-46809 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12