CVE-2023-45232: Infinite loop in EDK II Network Package
First published: Tue Jan 16 2024(Updated: )
EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
Credit: infosec@edk2.groups.io infosec@edk2.groups.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/edk2 | <=0~20181115.85588389-3+deb10u3<=2020.11-2+deb11u1<=2020.11-2+deb11u2<=2022.11-6 | 2022.11-6+deb12u1 2024.02-2 |
| ubuntu/edk2 | <0~20191122. | 0~20191122. |
| ubuntu/edk2 | <2022.02-3ubuntu0.22.04.2 | 2022.02-3ubuntu0.22.04.2 |
| ubuntu/edk2 | <2023.05-2ubuntu0.1 | 2023.05-2ubuntu0.1 |
| Tianocore EDK II | <=202311 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
- http://www.openwall.com/lists/oss-security/2024/01/16/2
- https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJ42V7O7F4OU6R7QSQQECLB6LDHKZIMQ/
- https://security.netapp.com/advisory/ntap-20240307-0011/
- https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
- https://www.openwall.com/lists/oss-security/2024/01/16/2
- https://security-tracker.debian.org/tracker/CVE-2023-45232
- https://launchpad.net/bugs/cve/CVE-2023-45232
- https://ubuntu.com/security/notices/USN-6638-1
- https://www.cve.org/CVERecord?id=CVE-2023-45232
- https://nvd.nist.gov/vuln/detail/CVE-2023-45232
- https://ubuntu.com/security/CVE-2023-45232
- https://github.com/advisories/GHSA-3r3p-444m-2g4p
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2258692
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2258693
- https://access.redhat.com/errata/RHSA-2024:2264
- https://access.redhat.com/errata/RHSA-2024:3017
- https://access.redhat.com/errata/RHSA-2024:8104
- https://bugzilla.redhat.com/show_bug.cgi?id=2258691
Frequently Asked Questions
What is the severity of CVE-2023-45232?
CVE-2023-45232 has a high severity rating due to its potential to cause a denial of service attack by exploiting an infinite loop in the code.
How do I fix CVE-2023-45232?
To fix CVE-2023-45232, upgrade to the recommended versions of edk2 as specified in the affected software list.
What systems are affected by CVE-2023-45232?
CVE-2023-45232 affects various versions of the Tianocore EDK2 and corresponding packages in Ubuntu and Debian distributions.
Can CVE-2023-45232 lead to unauthorized access?
Yes, CVE-2023-45232 can potentially be exploited by attackers to gain unauthorized access due to the infinite loop vulnerability.
Is there a workaround for CVE-2023-45232 until a fix is applied?
There are no specific workarounds for CVE-2023-45232; applying the security update is essential to mitigate the vulnerability.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- agent/severity
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-45232
- agent/references
- agent/trending
- agent/source
- agent/tags
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/debian
- package-manager/ubuntu
- vendor/tianocore
- canonical/tianocore edk ii
- version/tianocore edk ii/202311