CVE-2023-45229: 
NixOS vulnerability analysis and mitigation

EDK2's Network Package contains an out-of-bounds read vulnerability (CVE-2023-45229) when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. The vulnerability was discovered in late 2023 and affects EDK2 versions through 202311. This vulnerability is part of a larger set of vulnerabilities dubbed 'PixieFAIL' that affect the network boot (PXE) component of Tianocore EDK II, the open-source UEFI reference implementation (Tianocore Advisory, OSS Security).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. It is classified as CWE-125 (Out-of-bounds Read). The vulnerability specifically occurs during the processing of DHCPv6 Advertise messages when handling IA_NA or IA_TA options (NVD, Tianocore Advisory).

When successfully exploited, this vulnerability can lead to unauthorized access and potential loss of confidentiality. The vulnerability is particularly concerning for systems that have PXE boot enabled, which is common in server nodes in datacenters and HPC environments. Some laptop computers may also have PXE boot enabled by default, although typically as the last option in the boot order (Tianocore Advisory).

The vulnerability has been patched in the February 2024 EDK2 release (edk2-stable202402). Organizations using affected versions should upgrade to the patched version. The vulnerability was initially addressed through patch files available via the Tianocore bugzilla system (Tianocore Advisory).