CVE-2023-45236: 
NixOS vulnerability analysis and mitigation

CVE-2023-45236 is a vulnerability discovered in EDK2's Network Package, specifically related to predictable TCP Initial Sequence Numbers. The vulnerability was disclosed on January 16, 2024, affecting EDK2 versions up to and including 202311. This security flaw impacts the network boot (PXE) component of Tianocore EDK II, the open-source UEFI reference implementation (Tianocore Advisory, OSS Security).

The vulnerability is characterized by predictable TCP Initial Sequence Numbers in the network stack implementation. It has received a CVSS v3.1 base score of 7.5 (HIGH) from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, while TianoCore.org assessed it with a score of 5.8 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N. The vulnerability is classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) (NVD).

When successfully exploited, this vulnerability can lead to unauthorized access and potential loss of confidentiality. The vulnerability is particularly concerning for systems with PXE boot enabled, which is common in server nodes in datacenters and HPC environments. Some laptop computers may also have PXE boot enabled by default, although typically as the last option in the boot order (Tianocore Advisory).

The vulnerability was patched in the EDK2 May 2024 release (edk2-stable202405). The patch files are available via Tianocore's bugzilla system (Bug ID 4542). It's worth noting that exposure is limited to PXE boot or HTTP boot on an untrusted network, which is not a recommended usage for the UEFI network stack (Tianocore Advisory).