CVE-2023-48733: 
NixOS vulnerability analysis and mitigation

CVE-2023-48733 is a security vulnerability discovered in Ubuntu's EDK2 implementation where an insecure default configuration allowed the UEFI Shell to remain enabled even when Secure Boot is active. The vulnerability was discovered by Mate Kukri and disclosed on February 14, 2024. This vulnerability affects Ubuntu's EDK2 package and related systems that use EDK2-based firmware implementations (Openwall Report).

The vulnerability stems from the presence of a built-in UEFI Shell in the firmware that remains accessible even when Secure Boot is enabled. The CVSS 3.1 base score is 6.7 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The UEFI Shell includes functionality for unattended scripting and commands like 'mm' that can write directly to physical memory and PCI config space (Openwall Report).

The vulnerability allows an OS-resident attacker to bypass Secure Boot protections and execute arbitrary unsigned code at system level. This can be achieved without requiring physical access or pseudo-physical access to the system, potentially compromising the security guarantees provided by UEFI Secure Boot (Openwall Report).

A patch has been developed to disable the UEFI Shell when Secure Boot is active. Future plans include completely removing the UEFI Shell from firmware images. For Debian 10 (buster), this issue has been fixed in version 0~20181115.85588389-3+deb10u4 (Debian Advisory).