PatchSiren cyber security CVE debrief
CVE-2023-3446 Siemens CVE debrief
CVE-2023-3446 is a denial-of-service issue tied to very slow validation of excessively long Diffie-Hellman keys or parameters. In the Siemens SIDIS Prime advisory, the risk is described as a long delay or resource exhaustion condition when untrusted DH material is checked. Siemens recommends updating SIDIS Prime to V4.0.700 or later.
- Vendor
- Siemens
- Product
- SIDIS Prime
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-05-06
Who should care
Siemens SIDIS Prime operators, ICS/OT defenders, and administrators who handle externally supplied DH keys or DH parameters should care most. Priority is higher where validation is exposed to untrusted input or where a delay in crypto processing can affect availability.
Technical summary
The source advisory says DH_check(), DH_check_ex(), and EVP_PKEY_param_check() may take a long time when evaluating excessively large DH parameters, especially the modulus p. The issue is that some checks still use the supplied modulus even after it has already been identified as too large, so attacker-controlled input can consume CPU and delay the application. The advisory also notes that the OpenSSL dhparam and pkeyparam command-line utilities are affected when run with the -check option. It explicitly says the OpenSSL SSL/TLS implementation is not affected, and the OpenSSL 3.0 and 3.1 FIPS providers are not affected.
Defensive priority
Medium. Apply the vendor fix during normal maintenance, and treat it as higher priority if SIDIS Prime is deployed in a service path that accepts untrusted DH parameters or if availability is operationally critical.
Recommended defensive actions
- Update Siemens SIDIS Prime to V4.0.700 or later.
- Inventory SIDIS Prime deployments and confirm which systems process externally supplied DH keys or DH parameters.
- Review any workflows that invoke DH_check(), DH_check_ex(), EVP_PKEY_param_check(), or related command-line parameter checks.
- Reduce exposure to untrusted crypto-parameter inputs wherever possible and apply defense-in-depth controls around the affected service path.
- Monitor for abnormal CPU use or request latency that could indicate expensive parameter validation.
- Follow CISA ICS recommended practices, including segmentation and other defense-in-depth measures, for OT environments.
Evidence notes
The source corpus is CISA CSAF ICSA-25-100-02 referencing Siemens advisory SSA-277137. It states that checking excessively long DH keys or parameters may be very slow, and that untrusted input to DH_check(), DH_check_ex(), or EVP_PKEY_param_check() may lead to denial of service. The notes also say the OpenSSL SSL/TLS implementation is not affected, the OpenSSL 3.0 and 3.1 FIPS providers are not affected, and the recommended vendor remediation is V4.0.700 or later. Publication timing in the source advisory is 2025-04-08, with a 2025-05-06 revision noted as typo fixes.
Official resources
-
CVE-2023-3446 CVE record
CVE.org
-
CVE-2023-3446 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public disclosure in the supplied source advisory occurred on 2025-04-08, with a source revision on 2025-05-06 that is described as typo fixes. Use those dates for advisory timing context; they are not the vulnerability's original issue-dis