Skip to content

Vulnerabilities in EDK2 NetworkPkg IP stack implementation

High
jkmathews published GHSA-hc6x-cw6p-gj7h Jan 16, 2024

Package

NetworkPkg (EDK2)

Affected versions

<=202311

Patched versions

202402

Description

Summary

9 vulnerabilities were reported in the EDK2 Network IP stack implementation (NetworkPkg). CVEs have been allocated.
Additional details can be found at https://bugzilla.tianocore.org/show_bug.cgi?id=4518.

Details

  1. CVE-2023-45229
    • CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    • CWE-125 Out-of-bounds Read
  2. CVE-2023-45230
    • CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
    • CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
  3. CVE-2023-45231
    • CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    • CWE-125 Out-of-bounds Read
  4. CVE-2023-45232
    • CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    • CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
  5. CVE-2023-45233
    • CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    • CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
  6. CVE-2023-45234
    • CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
    • CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
  7. CVE-2023-45235
    • CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
    • CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
  8. CVE-2023-45236
    • CVSS 5.8 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
    • CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  9. CVE-2023-45237
    • CVSS 5.3 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Impact

These vulnerabilities can be exploited by unauthenticated remote
attackers on the same broadcast domain (local network) and, in some
cases, by attackers on remote networks. They are exploitable on systems
that have the PXE boot option enabled. Although this option is disabled
by default, it is very common to see it enabled on server nodes in
datacenters and HPC environments. We also have reports that some laptop
computes have PXE boot enabled by default, although as the last option
in the boot order.

The impact of these vulnerabilities include denial of service,
information leakage, remote code execution, DNS cache poisoning and
network session hijacking. Exploitation of bugs 02, 06 and 07 for remote
code execution is deemed straight forward as EDK2 does not officially
employ mitigations such as stack cookies or address space layout
randomization.

Mitigation release plan

Patch files for vulnerabilities 1-7 are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4518. These patches were integrated in the Feb 2024 EDK2 release (edk2-stable202402).

Patch files for vulnerabilities 8-9 are available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4541 and https://bugzilla.tianocore.org/show_bug.cgi?id=4542. These patches were integrated in the May 2024 EDK2 release (edk2-stable202405).

We are not aware of any exploits for vulnerabilities 8 and 9, either in the wild or in the lab. Exposure is limited to PXE boot or HTTP boot on an untrusted network, which is not a recommended usage for the UEFI network stack.

Severity

High
8.3
/ 10

CVSS base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

CVE ID

CVE-2023-45229

Credits