CVE-2023-2975: CWE-354 Improper Validation of Integrity Check Value in OpenSSL OpenSSL
Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.
AI Analysis
Technical Summary
CVE-2023-2975 is a medium-severity vulnerability affecting the AES-SIV cipher implementation in OpenSSL versions 3.0.0 and 3.1.0. The issue stems from improper validation of integrity check values (CWE-354) related to how empty associated data entries are handled during encryption and authentication. AES-SIV is an authenticated encryption algorithm that supports multiple associated data (AD) entries, which are data elements authenticated but not encrypted. Applications using AES-SIV can provide associated data to ensure its integrity and authenticity alongside the encrypted payload. However, the OpenSSL implementation contains a bug where empty associated data entries are effectively ignored during authentication. Specifically, when an application attempts to authenticate empty associated data by calling EVP_EncryptUpdate() or EVP_CipherUpdate() with a NULL output buffer and zero-length input buffer, OpenSSL returns success without performing the authentication operation. This means that empty associated data entries are not authenticated, allowing an attacker to remove, add, or reorder such empty entries without detection. The vulnerability does not affect non-empty associated data authentication, and the OpenSSL implementation correctly authenticates all non-empty associated data entries. The impact is limited to scenarios where applications rely on authenticating empty associated data entries, which is expected to be rare. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the vulnerability can be exploited remotely without privileges or user interaction, impacts integrity only, and does not affect confidentiality or availability. The scope is unchanged as the vulnerability is confined to the OpenSSL AES-SIV implementation. Overall, this vulnerability represents a subtle cryptographic integrity bypass in a niche use case within OpenSSL's AES-SIV cipher, requiring specific application usage patterns to be exploitable.
Potential Impact
For European organizations, the impact of CVE-2023-2975 is generally limited due to the niche nature of the vulnerability. The flaw affects only applications that use OpenSSL versions 3.0.0 or 3.1.0 with the AES-SIV cipher and specifically rely on authenticating empty associated data entries. Such usage is uncommon, so most applications will not be affected. However, organizations that implement advanced cryptographic protocols or custom encryption schemes using AES-SIV with empty associated data could face integrity risks. Attackers could manipulate the order or presence of empty associated data entries without detection, potentially undermining data integrity guarantees. This could affect sensitive communications, data storage, or cryptographic protocols relying on strict integrity checks. Given OpenSSL's widespread use across Europe in web servers, network appliances, and security products, any vulnerable application using AES-SIV in this manner could be at risk. The vulnerability does not impact confidentiality or availability, so data leakage or service disruption are unlikely. The absence of known exploits and the requirement for specific application behavior reduce immediate risk. Nonetheless, organizations in sectors with high security requirements—such as finance, government, and critical infrastructure—should assess their use of AES-SIV and OpenSSL versions to determine exposure and potential impact on data integrity.
Mitigation Recommendations
1. Upgrade OpenSSL: Organizations should upgrade to OpenSSL versions later than 3.1.0 or 3.0.0 where this vulnerability is fixed. Monitor OpenSSL project releases and apply patches promptly once available. 2. Audit Application Usage: Review cryptographic implementations to identify any use of AES-SIV cipher with empty associated data entries. This includes custom cryptographic libraries or protocols built on top of OpenSSL. 3. Avoid Empty Associated Data: Where possible, avoid using empty associated data entries in AES-SIV encryption calls. Instead, use non-empty placeholders or restructure data to ensure all associated data entries contain meaningful content. 4. Implement Additional Integrity Checks: For applications that must use empty associated data, implement supplementary integrity verification mechanisms outside of OpenSSL to detect unauthorized modifications. 5. Testing and Validation: Conduct thorough testing of cryptographic operations involving AES-SIV to verify that associated data authentication behaves as expected, especially when empty entries are involved. 6. Monitor Security Advisories: Stay informed on updates from OpenSSL and cybersecurity authorities regarding this vulnerability and related cryptographic issues. 7. Limit Exposure: Restrict network access to vulnerable systems and monitor for anomalous activity that could indicate attempts to exploit integrity weaknesses. These mitigations go beyond generic advice by focusing on the specific cryptographic context and usage patterns that trigger the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-2975: CWE-354 Improper Validation of Integrity Check Value in OpenSSL OpenSSL
Description
Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.
AI-Powered Analysis
Technical Analysis
CVE-2023-2975 is a medium-severity vulnerability affecting the AES-SIV cipher implementation in OpenSSL versions 3.0.0 and 3.1.0. The issue stems from improper validation of integrity check values (CWE-354) related to how empty associated data entries are handled during encryption and authentication. AES-SIV is an authenticated encryption algorithm that supports multiple associated data (AD) entries, which are data elements authenticated but not encrypted. Applications using AES-SIV can provide associated data to ensure its integrity and authenticity alongside the encrypted payload. However, the OpenSSL implementation contains a bug where empty associated data entries are effectively ignored during authentication. Specifically, when an application attempts to authenticate empty associated data by calling EVP_EncryptUpdate() or EVP_CipherUpdate() with a NULL output buffer and zero-length input buffer, OpenSSL returns success without performing the authentication operation. This means that empty associated data entries are not authenticated, allowing an attacker to remove, add, or reorder such empty entries without detection. The vulnerability does not affect non-empty associated data authentication, and the OpenSSL implementation correctly authenticates all non-empty associated data entries. The impact is limited to scenarios where applications rely on authenticating empty associated data entries, which is expected to be rare. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the vulnerability can be exploited remotely without privileges or user interaction, impacts integrity only, and does not affect confidentiality or availability. The scope is unchanged as the vulnerability is confined to the OpenSSL AES-SIV implementation. Overall, this vulnerability represents a subtle cryptographic integrity bypass in a niche use case within OpenSSL's AES-SIV cipher, requiring specific application usage patterns to be exploitable.
Potential Impact
For European organizations, the impact of CVE-2023-2975 is generally limited due to the niche nature of the vulnerability. The flaw affects only applications that use OpenSSL versions 3.0.0 or 3.1.0 with the AES-SIV cipher and specifically rely on authenticating empty associated data entries. Such usage is uncommon, so most applications will not be affected. However, organizations that implement advanced cryptographic protocols or custom encryption schemes using AES-SIV with empty associated data could face integrity risks. Attackers could manipulate the order or presence of empty associated data entries without detection, potentially undermining data integrity guarantees. This could affect sensitive communications, data storage, or cryptographic protocols relying on strict integrity checks. Given OpenSSL's widespread use across Europe in web servers, network appliances, and security products, any vulnerable application using AES-SIV in this manner could be at risk. The vulnerability does not impact confidentiality or availability, so data leakage or service disruption are unlikely. The absence of known exploits and the requirement for specific application behavior reduce immediate risk. Nonetheless, organizations in sectors with high security requirements—such as finance, government, and critical infrastructure—should assess their use of AES-SIV and OpenSSL versions to determine exposure and potential impact on data integrity.
Mitigation Recommendations
1. Upgrade OpenSSL: Organizations should upgrade to OpenSSL versions later than 3.1.0 or 3.0.0 where this vulnerability is fixed. Monitor OpenSSL project releases and apply patches promptly once available. 2. Audit Application Usage: Review cryptographic implementations to identify any use of AES-SIV cipher with empty associated data entries. This includes custom cryptographic libraries or protocols built on top of OpenSSL. 3. Avoid Empty Associated Data: Where possible, avoid using empty associated data entries in AES-SIV encryption calls. Instead, use non-empty placeholders or restructure data to ensure all associated data entries contain meaningful content. 4. Implement Additional Integrity Checks: For applications that must use empty associated data, implement supplementary integrity verification mechanisms outside of OpenSSL to detect unauthorized modifications. 5. Testing and Validation: Conduct thorough testing of cryptographic operations involving AES-SIV to verify that associated data authentication behaves as expected, especially when empty entries are involved. 6. Monitor Security Advisories: Stay informed on updates from OpenSSL and cybersecurity authorities regarding this vulnerability and related cryptographic issues. 7. Limit Exposure: Restrict network access to vulnerable systems and monitor for anomalous activity that could indicate attempts to exploit integrity weaknesses. These mitigations go beyond generic advice by focusing on the specific cryptographic context and usage patterns that trigger the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- openssl
- Date Reserved
- 2023-05-30T10:29:34.539Z
- Cisa Enriched
- true
Threat ID: 682d9846c4522896dcbf4fd3
Added to database: 5/21/2025, 9:09:26 AM
Last enriched: 6/22/2025, 10:52:28 AM
Last updated: 8/12/2025, 6:45:32 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.