CVE-2023-45234: 
NixOS vulnerability analysis and mitigation

EDK2's Network Package contains a buffer overflow vulnerability (CVE-2023-45234) when processing DNS Servers option from a DHCPv6 Advertise message. The vulnerability was discovered as part of the PixieFAIL vulnerability series affecting the network boot (PXE) component of Tianocore EDK II, the open-source UEFI reference implementation. The issue was disclosed in January 2024 and affects EDK2 versions up to and including 202311 (Tianocore Advisory, OSS Security).

The vulnerability is classified with a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is categorized under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The exploitation requires an attacker to be on the same broadcast domain (local network) and can be triggered during the processing of DNS Servers options in DHCPv6 Advertise messages (NVD, Tianocore Advisory).

When successfully exploited, this vulnerability can lead to unauthorized access and potentially result in a loss of Confidentiality, Integrity, and Availability. The exploitation is considered straightforward as EDK2 does not officially employ mitigations such as stack cookies or address space layout randomization (Tianocore Advisory).

The vulnerability has been patched in the February 2024 EDK2 release (edk2-stable202402). Organizations using affected versions should upgrade to the patched version. The fix was also included in various downstream distributions, such as Fedora's edk2-20240214-2.fc39 update (Fedora Update).