CVE-2023-45235: 
NixOS vulnerability analysis and mitigation

EDK2's Network Package contains a buffer overflow vulnerability (CVE-2023-45235) when handling Server ID option from a DHCPv6 proxy Advertise message. The vulnerability was discovered in late 2023 and publicly disclosed on January 16, 2024. This vulnerability affects EDK2 versions through 202311, particularly impacting systems with PXE boot enabled, which is common in server nodes in datacenters and HPC environments (Tianocore Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is categorized under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The vulnerability specifically occurs in the network boot (PXE) component of the EDK2 UEFI implementation, where the buffer overflow can be triggered during the processing of Server ID options in DHCPv6 proxy Advertise messages (NVD, Tianocore Advisory).

When successfully exploited, this vulnerability can lead to unauthorized access and potentially result in a loss of Confidentiality, Integrity, and Availability. The exploitation is considered straightforward as EDK2 does not officially employ mitigations such as stack cookies or address space layout randomization. The vulnerability can be exploited by unauthenticated remote attackers on the same broadcast domain and, in some cases, by attackers on remote networks (Tianocore Advisory, OSS Security).

The vulnerability has been patched in EDK2 version 202402. The fix was integrated into the February 2024 EDK2 release (edk2-stable202402). Organizations using affected versions should upgrade to the patched version to mitigate the vulnerability (Tianocore Advisory).