CVE-2023-45231: 
NixOS vulnerability analysis and mitigation

EDK2's Network Package contains an out-of-bounds read vulnerability (CVE-2023-45231) when processing Neighbor Discovery Redirect messages. The vulnerability was disclosed on January 16, 2024, affecting EDK2 versions through 202311. This security flaw is part of a broader set of vulnerabilities dubbed 'PixieFAIL' discovered in the network boot (PXE) component of Tianocore EDK II, the open-source UEFI reference implementation (Tianocore Advisory, OSS Security).

The vulnerability is classified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 6.5 (Medium), characterized by the vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires adjacent network access, has low attack complexity, requires no privileges or user interaction, has unchanged scope, and can result in high confidentiality impact without affecting integrity or availability (NVD, Tianocore Advisory).

When successfully exploited, this vulnerability can lead to unauthorized access and potential loss of confidentiality. The exposure is limited to PXE boot or HTTP boot scenarios on untrusted networks, which is not a recommended usage for the UEFI network stack (Tianocore Advisory, NetApp Advisory).

The vulnerability has been patched in EDK2 version 202402. The fix was integrated into the February 2024 EDK2 release (edk2-stable202402). Various vendors have also released their own patches, including Fedora and NetApp (Tianocore Advisory, Fedora Update).