Buffer Overflow in EDK II Network Package
CVE-2023-45230

8.8HIGH

Key Information:

Vendor: Tianocore
Status: Edk2
Vendor: CVE Published:; 16 January 2024

What is CVE-2023-45230?

The EDK2 Network Package by TianoCore contains a vulnerability that arises from a buffer overflow caused by excessively long server ID options received by the DHCPv6 client. An attacker could exploit this vulnerability to gain unauthorized access to the affected systems, thereby compromising their confidentiality, integrity, and availability. This presents a significant risk to users of the EDK2 Network Package, particularly in environments where DHCPv6 is in use.

Affected Version(s)

edk2 edk2-stable202308

References

https://github.com/tianocore/edk2/security/advisories/GHS...

http://www.openwall.com/lists/oss-security/2024/01/16/2

http://packetstormsecurity.com/files/176574/PixieFail-Pro...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Oct 5, 2023

Credit

Quarkslab Vulnerability Reports Team

Doug Flick

Tianocore

What is CVE-2023-45230?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit