CVE-2023-45237: 
NixOS vulnerability analysis and mitigation

CVE-2023-45237 is a security vulnerability discovered in EDK2's Network Package, specifically related to the use of a weak Pseudo-Random Number Generator (PRNG) in TCP Initial Sequence Number generation. The vulnerability was disclosed on January 16, 2024, affecting EDK2 versions up to and including 202311. This vulnerability is part of a larger set of vulnerabilities dubbed 'PixieFAIL' discovered in the network boot (PXE) component of Tianocore EDK II (Openwall Mailing List, GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. It is categorized under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator). The technical issue stems from the predictability of TCP Initial Sequence Numbers, which could potentially be exploited by attackers (NVD, GitHub Advisory).

The vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of confidentiality. The exposure is particularly relevant in systems that have the PXE boot option enabled, which is common in server nodes in datacenters and HPC environments (GitHub Advisory).

The vulnerability was patched in the EDK2 February 2024 release (edk2-stable202402). The fix is available through patch files via the Tianocore bugzilla system. Organizations using affected versions should upgrade to the patched version to mitigate the vulnerability (GitHub Advisory, NetApp Advisory).