PatchSiren cyber security CVE debrief
CVE-2023-6237 Siemens CVE debrief
CVE-2023-6237 is a denial-of-service issue in OpenSSL RSA public key validation. When applications call EVP_PKEY_public_check() on RSA keys from an untrusted source, checking an excessively large invalid modulus can take a long time and create operational delays. Siemens mapped this issue to 19 SCALANCE W-series products in its 2025 advisory and recommends updating to V3.0.0 or later. The OpenSSL SSL/TLS implementation is not affected, but the OpenSSL pkey command-line tool is affected when used with -pubin and -check on untrusted data.
- Vendor
- Siemens
- Product
- SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0)
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-05-06
Who should care
Operators and maintainers of the listed Siemens SCALANCE WAB/WAM/WUB/WUM devices, plus developers and administrators who rely on OpenSSL EVP_PKEY_public_check() or the pkey -pubin -check workflow for untrusted RSA public keys.
Technical summary
The issue is caused by expensive primality/compositeness checking during RSA public key validation. For valid RSA keys, the modulus is composite and the check finishes quickly; for an excessively large prime modulus, validation can take much longer than expected. The result is a denial-of-service condition via resource consumption or long delays, with impact limited to availability. Siemens’ CSAF advisory associates the issue with 19 product variants and points to a vendor fix at V3.0.0 or later.
Defensive priority
High for affected Siemens deployments that are still below V3.0.0; otherwise medium, because the issue is availability-focused and the affected OpenSSL paths are limited to explicit public-key checking workflows.
Recommended defensive actions
- Update affected Siemens SCALANCE products to V3.0.0 or later, as directed by the vendor advisory.
- Review any software that calls EVP_PKEY_public_check() and ensure untrusted RSA public keys are not validated on latency-sensitive or single-threaded paths.
- Avoid running OpenSSL pkey -pubin -check on untrusted input sources.
- Apply standard ICS defense-in-depth guidance for availability protection and input validation around externally supplied keys.
- Track the advisory revision history and re-verify deployed firmware or package versions after remediation.
Evidence notes
Source data indicates publication on 2025-02-11 and a later revision on 2025-05-06 for typo fixes. The Siemens/CISA advisory lists 19 affected SCALANCE product variants and recommends updating to V3.0.0 or later. The advisory text states that OpenSSL SSL/TLS is not affected, while the pkey command line application is affected when used with -pubin and -check on untrusted data. CVSS is 5.9/Medium with AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.
Official resources
-
CVE-2023-6237 CVE record
CVE.org
-
CVE-2023-6237 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use the CVE and advisory publication date of 2025-02-11 for disclosure context; the source advisory was later revised on 2025-05-06 for typo fixes.