CVE-2023-2975 Overview
CVE-2023-2975 is a cryptographic vulnerability in OpenSSL's AES-SIV cipher implementation that causes the library to incorrectly handle empty associated data entries. When applications attempt to authenticate empty data entries as associated data, the OpenSSL implementation silently returns success without performing the actual authentication operation. This flaw allows attackers to manipulate authenticated encryption by removing, adding, or reordering empty associated data entries without detection.
Critical Impact
Applications relying on AES-SIV for authenticated encryption may be vulnerable to integrity bypass attacks when using empty associated data entries, potentially allowing data manipulation to go undetected.
Affected Products
- OpenSSL (versions using AES-SIV cipher implementation)
- NetApp Management Services for Element Software and NetApp HCI
- NetApp ONTAP Select Deploy Administration Utility
Discovery Timeline
- July 14, 2023 - CVE-2023-2975 published to NVD
- April 23, 2025 - Last updated in NVD database
Technical Details for CVE-2023-2975
Vulnerability Analysis
The vulnerability resides in OpenSSL's implementation of the AES-SIV (Synthetic Initialization Vector) cipher mode. AES-SIV is designed to provide both encryption and authentication of data, including the ability to authenticate multiple associated data entries alongside the encrypted content. The implementation flaw manifests when applications call EVP_EncryptUpdate() or EVP_CipherUpdate() with a NULL output buffer pointer and a zero-length input buffer to authenticate empty associated data.
Instead of properly processing the empty data entry through the authentication algorithm, the OpenSSL implementation immediately returns a success status without performing any cryptographic operation. This means empty associated data entries are never actually included in the authentication tag calculation, leaving them unauthenticated despite the application's intent.
Root Cause
The root cause is an improper integrity check (CWE-354) combined with an authentication bypass condition (CWE-287) in the AES-SIV cipher implementation. The code path handling zero-length associated data entries contains a logic flaw that bypasses the authentication operation entirely. When the input buffer length is zero and the output buffer is NULL (the correct API usage for authenticating empty data), the function returns success without updating the internal authentication state.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker who can intercept or modify encrypted communications using AES-SIV with empty associated data entries could:
- Remove empty associated data entries from the authenticated message
- Add arbitrary empty entries to the associated data
- Reorder empty entries among other associated data elements
Since these empty entries are not actually authenticated, such modifications would not be detected by the receiving application that validates the authentication tag. The impact is limited to integrity compromise without affecting confidentiality or availability.
The vulnerability mechanism involves the improper handling of edge cases in the EVP_EncryptUpdate() function when processing associated data for AES-SIV mode. When an application passes a NULL output buffer with zero input length (the documented method for authenticating empty data), the implementation fails to incorporate this empty entry into the SIV authentication calculation. Technical details are available in the OpenSSL Security Advisory.
Detection Methods for CVE-2023-2975
Indicators of Compromise
- Applications using AES-SIV cipher mode with empty associated data entries in EVP API calls
- Calls to EVP_EncryptUpdate() or EVP_CipherUpdate() with NULL output buffer and zero-length input
- Encrypted communications where empty associated data integrity cannot be verified
Detection Strategies
- Audit application code for usage of AES-SIV cipher mode with empty associated data entries
- Review cryptographic implementations that rely on authenticating empty data elements
- Implement version checking for OpenSSL libraries to identify vulnerable installations
- Monitor for applications using the affected EVP cipher API patterns
Monitoring Recommendations
- Inventory all systems running vulnerable OpenSSL versions (check using openssl version)
- Review application logs for cryptographic operation failures that may indicate exploitation attempts
- Implement software composition analysis (SCA) to track OpenSSL dependencies across the environment
- Monitor vendor security advisories for related updates from NetApp and other downstream vendors
How to Mitigate CVE-2023-2975
Immediate Actions Required
- Upgrade OpenSSL to patched versions that address the AES-SIV authentication bypass
- Review applications for usage of AES-SIV with empty associated data entries and assess risk
- Apply vendor patches for NetApp Management Services and ONTAP Select Deploy Administration Utility
- If unable to patch immediately, consider avoiding empty associated data entries in AES-SIV operations
Patch Information
OpenSSL has released patches to address this vulnerability. The fixes ensure that empty associated data entries are properly processed through the authentication algorithm. Commit patches are available:
For detailed patch information, refer to the OpenSSL Security Advisory July 2023. NetApp users should consult the NetApp Security Advisory NTAP-20230725-0004 for platform-specific guidance.
Workarounds
- Avoid using empty associated data entries when using AES-SIV cipher mode until patched
- If empty entries are required, use placeholder non-empty values as associated data instead
- Consider using alternative authenticated encryption modes (e.g., AES-GCM) if AES-SIV is not strictly required
- Implement application-level integrity checks as a defense-in-depth measure
# Check OpenSSL version for vulnerability assessment
openssl version -a
# Verify installed OpenSSL package version (Debian/Ubuntu)
dpkg -l | grep openssl
# Verify installed OpenSSL package version (RHEL/CentOS)
rpm -qa | grep openssl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
