CVE-2023-45232: 
NixOS vulnerability analysis and mitigation

EDK2's Network Package contains an infinite loop vulnerability (CVE-2023-45232) when parsing unknown options in the Destination Options header of IPv6. The vulnerability was discovered in late 2023 and publicly disclosed on January 16, 2024, affecting EDK2 versions through 202311. This vulnerability is part of a larger set of vulnerabilities dubbed 'PixieFAIL' that affect the network boot (PXE) component of Tianocore EDK II, the open-source UEFI reference implementation (Vendor Advisory, OSS Security).

The vulnerability is classified as a Loop with Unreachable Exit Condition (CWE-835) that occurs during the parsing of unknown options in IPv6 Destination Options headers. It has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD, Vendor Advisory).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through an infinite loop, potentially causing a loss of availability in the affected system. The vulnerability is particularly concerning for systems that have the PXE boot option enabled, which is common in server nodes in datacenters and HPC environments (Vendor Advisory, NetApp Advisory).

The vulnerability has been patched in EDK2 version 202402 (February 2024 release). Organizations using affected versions should upgrade to the patched version. The fix was integrated into the February 2024 EDK2 release (edk2-stable202402) (Vendor Advisory, Fedora Update).