Predictable TCP ISNs in EDK II Network Package
CVE-2023-45236

5.8MEDIUM

Key Information:

Vendor

Tianocore

Status
Edk2
Vendor
CVE Published:
16 January 2024

What is CVE-2023-45236?

The EDK2 Network Package by TianoCore is vulnerable due to a predictable TCP Initial Sequence Number (ISN). This flaw may allow an attacker to predict the ISN, facilitating unauthorized access and compromising the confidentiality of the network communications. Exploiting this vulnerability could lead to further attacks, including session hijacking, making it crucial for users and administrators to apply appropriate security measures.

Affected Version(s)

edk2 edk2-stable202308

References

https://github.com/tianocore/edk2/security/advisories/GHS...
http://www.openwall.com/lists/oss-security/2024/01/16/2
https://security.netapp.com/advisory/ntap-20240307-0011/

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Quarkslab Vulnerability Reports Team
Doug Flick
JSON
.