Summary
9 vulnerabilities were reported in the EDK2 Network IP stack implementation (NetworkPkg). CVEs have been allocated.
Additional details can be found at https://bugzilla.tianocore.org/show_bug.cgi?id=4518.
Details
- CVE-2023-45229
- CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE-125 Out-of-bounds Read
- CVE-2023-45230
- CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
- CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
- CVE-2023-45231
- CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE-125 Out-of-bounds Read
- CVE-2023-45232
- CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
- CVE-2023-45233
- CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
- CVE-2023-45234
- CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
- CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
- CVE-2023-45235
- CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
- CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
- CVE-2023-45236
- CVSS 5.8 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
- CVE-2023-45237
- CVSS 5.3 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Impact
These vulnerabilities can be exploited by unauthenticated remote
attackers on the same broadcast domain (local network) and, in some
cases, by attackers on remote networks. They are exploitable on systems
that have the PXE boot option enabled. Although this option is disabled
by default, it is very common to see it enabled on server nodes in
datacenters and HPC environments. We also have reports that some laptop
computes have PXE boot enabled by default, although as the last option
in the boot order.
The impact of these vulnerabilities include denial of service,
information leakage, remote code execution, DNS cache poisoning and
network session hijacking. Exploitation of bugs 02, 06 and 07 for remote
code execution is deemed straight forward as EDK2 does not officially
employ mitigations such as stack cookies or address space layout
randomization.
Mitigation release plan
Patch files for vulnerabilities 1-7 are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4518. These patches were integrated in the Feb 2024 EDK2 release (edk2-stable202402).
Patch files for vulnerabilities 8-9 are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4541 and https://bugzilla.tianocore.org/show_bug.cgi?id=4542. These patches were integrated in the May 2024 EDK2 release (edk2-stable202405).
We are not aware of any exploits for vulnerabilities 8 and 9, either in the wild or in the lab. Exposure is limited to PXE boot or HTTP boot on an untrusted network, which is not a recommended usage for the UEFI network stack.
Flickdm Remediation developer
patrick-henz Remediation reviewer
terryplee Remediation reviewer
Summary
9 vulnerabilities were reported in the EDK2 Network IP stack implementation (NetworkPkg). CVEs have been allocated.
Additional details can be found at https://bugzilla.tianocore.org/show_bug.cgi?id=4518.
Details
Impact
These vulnerabilities can be exploited by unauthenticated remote
attackers on the same broadcast domain (local network) and, in some
cases, by attackers on remote networks. They are exploitable on systems
that have the PXE boot option enabled. Although this option is disabled
by default, it is very common to see it enabled on server nodes in
datacenters and HPC environments. We also have reports that some laptop
computes have PXE boot enabled by default, although as the last option
in the boot order.
The impact of these vulnerabilities include denial of service,
information leakage, remote code execution, DNS cache poisoning and
network session hijacking. Exploitation of bugs 02, 06 and 07 for remote
code execution is deemed straight forward as EDK2 does not officially
employ mitigations such as stack cookies or address space layout
randomization.
Mitigation release plan
Patch files for vulnerabilities 1-7 are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4518. These patches were integrated in the Feb 2024 EDK2 release (edk2-stable202402).
Patch files for vulnerabilities 8-9 are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4541 and https://bugzilla.tianocore.org/show_bug.cgi?id=4542. These patches were integrated in the May 2024 EDK2 release (edk2-stable202405).
We are not aware of any exploits for vulnerabilities 8 and 9, either in the wild or in the lab. Exposure is limited to PXE boot or HTTP boot on an untrusted network, which is not a recommended usage for the UEFI network stack.