CVE-2023-2975 Siemens CVE debrief

Who should care

Siemens SIDIS Prime operators, maintainers, and integrators that rely on AES-SIV for authenticated encryption, especially if their application may pass empty associated-data entries or depends on those entries remaining in the authenticated context.

Technical summary

According to the advisory, the affected AES-SIV implementation returns success when EVP_EncryptUpdate() or EVP_CipherUpdate() is called with a NULL output buffer and a zero input length for an empty associated-data entry. As a result, the empty entry is not authenticated. The issue does not affect authentication of non-empty associated data.

Defensive priority

Low to Medium

Recommended defensive actions

• Update Siemens SIDIS Prime to V4.0.700 or later, as listed in the vendor remediation guidance.
• Review application use of AES-SIV and confirm whether empty associated-data entries are possible or required.
• Add regression tests that verify empty associated data is authenticated as intended in your integration.
• If you cannot update immediately, inventory deployments that use the affected cryptographic path and assess whether the empty-entry case is relevant to your environment.
• Follow the Siemens and CISA advisory links for product-specific guidance and deployment validation steps.

Evidence notes

This debrief is based on the Siemens/CISA CSAF advisory and related official records for CVE-2023-2975. The source text states that empty associated data entries are ignored by the AES-SIV implementation, that non-empty associated data is unaffected, and that the issue is expected to be rare. The advisory provides a vendor fix version of V4.0.700 or later. No CISA KEV entry is present in the supplied data. The advisory was published on 2025-04-08 and revised on 2025-05-06 for typo fixes.

Official resources