PatchSiren cyber security CVE debrief
CVE-2024-9143 Siemens CVE debrief
CVE-2024-9143 is a medium-severity memory-corruption issue in Siemens SIDIS Prime that can arise when low-level GF(2m) elliptic-curve APIs are fed untrusted explicit field-polynomial values. The advisory says the practical exposure is low in typical ECC deployments, but affected applications using exotic binary curve encodings could still face crashes and, in some cases, possible remote code execution. Siemens published the advisory on 2025-04-08 and later revised it on 2025-05-06 for typo fixes.
- Vendor
- Siemens
- Product
- SIDIS Prime
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-05-06
Who should care
Siemens SIDIS Prime operators, integrators, and developers who handle explicit binary GF(2m) elliptic-curve parameters. Most environments that rely on named curves or X9.62/X.509 certificate encodings are not expected to be exposed.
Technical summary
The advisory describes out-of-bounds reads and writes triggered by low-level GF(2m) elliptic-curve APIs when they receive untrusted explicit values for the field polynomial. The affected APIs include EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and supporting BN_GF2m_*() functions. The source notes that applications using exotic explicit binary curve parameters may be able to represent invalid field polynomials with a zero constant term, which can cause memory access outside array bounds. Impact can include application termination and, less likely, remote code execution. The advisory also states that common ECC use cases are generally not exposed because named curves and X9.62 encodings used in X.509 certificates cannot represent the problematic inputs, and that FIPS modules in versions 3.3, 3.2, 3.1, and 3.0 are not affected.
Defensive priority
Medium
Recommended defensive actions
- Update Siemens SIDIS Prime to V4.0.700 or later.
- Inventory any code paths that accept explicit binary GF(2m) curve parameters from untrusted sources.
- Prefer named curves or X9.62-encoded inputs and reject exotic encodings that could represent invalid field polynomials.
- Review custom certificate, key import, or parameter-parsing logic for use of the affected GF(2m) APIs.
- Treat crashes during ECC parameter handling as security-relevant until patched.
Evidence notes
Source evidence is from Siemens/CISA advisory ICSA-25-100-02 for Siemens SIDIS Prime, published 2025-04-08 and revised 2025-05-06. The advisory explicitly says the issue is low-likelihood in standard ECC deployments, especially for named curves and X.509/X9.62 processing, and identifies only exotic explicit binary curve encodings as potentially problematic. It also lists the remediation as V4.0.700 or later and notes that FIPS modules 3.3/3.2/3.1/3.0 are not affected.
Official resources
-
CVE-2024-9143 CVE record
CVE.org
-
CVE-2024-9143 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA/Siemens advisory ICSA-25-100-02 for Siemens SIDIS Prime, CVE-2024-9143; published 2025-04-08 and revised 2025-05-06.