CVE-2023-28488: 
NixOS vulnerability analysis and mitigation

CVE-2023-28488 affects the gdhcp component in ConnMan through version 1.41. The vulnerability was discovered in the client.c file, where network-adjacent attackers operating a crafted DHCP server could cause a stack-based buffer overflow. The issue affects ConnMan versions from 0.55 to 1.41 (GitHub POC).

The vulnerability exists in the listener_event function in the ./gdhcp/client.c file, which handles DHCP packets from the DHCP server. When dhcp_client->listen_mode == L2, the dhcp_recv_l2_packet function reads IP, UDP, and DHCP headers into a packet buffer. The vulnerability occurs when the bytes variable is overwritten with the controlled value ntohs(packet.ip.tot_len) from the packet, leading to a stack buffer overflow in the subsequent memcpy operation (GitHub POC). The CVSS v3.1 base score is 6.5 (MEDIUM) with vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The exploitation of this vulnerability results in a denial of service condition by terminating the connman process. The stack corruption can lead to access to an invalid address, overwriting of the stack canary, or returning to an incorrect address when exiting the function, depending on the compilation settings (GitHub POC).

A patch has been released to address this vulnerability. The fix involves verifying and sanitizing packet length first, avoiding overwriting the read packet length after the initial test (Kernel Patch). Various distributions have released security updates, including Debian with version 1.36-2.2+deb11u2 for the stable distribution (Debian Security).