CVE-2023-45230: 
NixOS vulnerability analysis and mitigation

EDK2's Network Package contains a critical buffer overflow vulnerability (CVE-2023-45230) that affects the DHCPv6 client through a long server ID option. The vulnerability was discovered as part of the PixieFAIL research, which identified multiple vulnerabilities in the EDK2 UEFI network stack implementation. The issue affects systems with EDK2 versions up to and including 202311, with patches being made available in the February 2024 release (edk2-stable202402) (Tianocore Advisory).

The vulnerability is characterized by a buffer overflow condition that occurs when processing long server ID options in the DHCPv6 client component. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating adjacent network access requirements but no privileges or user interaction needed for exploitation. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (NVD, Tianocore Advisory).

When successfully exploited, this vulnerability can lead to unauthorized access and potentially result in a complete compromise of system confidentiality, integrity, and availability. The exploitation is considered straightforward as EDK2 does not officially employ mitigations such as stack cookies or address space layout randomization (Tianocore Advisory).

The vulnerability has been patched in the February 2024 EDK2 release (edk2-stable202402). Organizations using affected versions should upgrade to the patched version. The exposure is limited to PXE boot or HTTP boot on an untrusted network, which is not a recommended usage for the UEFI network stack (Tianocore Advisory).