// For flags

CVE-2023-45235

Buffer Overflow in EDK II Network Package

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.

EDK2's Network Package es susceptible a una vulnerabilidad de desbordamiento de búfer cuando maneja la opción de ID del servidor desde un mensaje de publicidad del proxy DHCPv6. Un atacante puede aprovechar esta vulnerabilidad para obtener acceso no autorizado y potencialmente provocar una pérdida de confidencialidad, integridad y/o disponibilidad.

A security flaw involving buffer overflow was identified in EDK2, the open-source reference implementation of the UEFI specification. This vulnerability enables an unauthorized attacker within the vicinity network to transmit a specifically crafted DHCPv6 proxy Advertise message, resulting in the disclosure of information and potential compromise of system availability.

This update for ovmf fixes the following issues. Potential division-by-zero crash in edk2 due to UINT32 overflow in S3 ResumeCount. Out-of-bounds read in edk2 when processing IA_NA/IA_TA options in DHCPv6 Advertise messages. Buffer overflow in the DHCPv6 client in edk2 via a long Server ID option. Out-of-bounds read in edk2 when handling a ND Redirect message with truncated options. Infinite loop in edk2 when parsing unknown options in the Destination Options header. Infinite loop in edk2 when parsing PadN options in the Destination Options header. Buffer overflow in edk2 when processing DNS Servers options in a DHCPv6 Advertise message. Buffer overflow in edk2 when handling the Server ID option in a DHCPv6 proxy Advertise message. Predictable TCP Initial Sequence Numbers in edk2 network packages. Use of a weak pseudorandom number generator in edk2.

*Credits: Quarkslab Vulnerability Reports Team, Doug Flick
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High
Attack Vector
Adjacent
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-10-05 CVE Reserved
  • 2024-01-16 CVE Published
  • 2024-01-17 First Exploit
  • 2025-06-17 CVE Updated
  • 2025-08-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
  • CAPEC-540: Overread Buffers
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Tianocore
Search vendor "Tianocore"
 Edk2
Search vendor "Tianocore" for product "Edk2"
 <= 202311
Search vendor "Tianocore" for product "Edk2" and version " <= 202311"
-
Affected