Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-45229

Опубликовано: 16 янв. 2024
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

A vulnerability has been identified in the NetworkPkg IP stack of EDK2, the open-source reference implementation of the UEFI specification. This flaw enables an unauthenticated attacker within the same network vicinity to transmit a specifically crafted DHCPv6 message. Exploiting this vulnerability may result in unauthorized access to memory beyond its boundaries, potentially leading to the exposure of sensitive information.

Отчет

The identified flaw in the NetworkPkg IP stack within the EDK2, an open-source UEFI implementation, poses a moderate security concern. This vulnerability allows an unauthenticated attacker within the same network to exploit via a crafted DHCPv6 message, potentially leading to the unauthorized access of memory beyond its designated boundaries. While the issue has the potential to leak sensitive information, its impact is considered moderate, requiring an attacker to be within the adjacent network for successful exploitation.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-119
Дефект:
CWE-125
Дефект:
CWE-338
Дефект:
CWE-835
https://bugzilla.redhat.com/show_bug.cgi?id=2258677edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message

EPSS

Процентиль: 28%
0.00098
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-45229

CVSS3: 6.5
ubuntu
больше 1 года назад

EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

nvd логотип

CVE-2023-45229

CVSS3: 6.5
nvd
больше 1 года назад

EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

msrc логотип

CVE-2023-45229

CVSS3: 6.5
msrc
больше 1 года назад

Описание отсутствует

debian логотип

CVE-2023-45229

CVSS3: 6.5
debian
больше 1 года назад

EDK2's Network Package is susceptible to an out-of-bounds read vulner ...

fstec логотип

BDU:2024-00459

CVSS3: 6.5
fstec
больше 1 года назад

Уязвимость функции Dhcp6HandleAdvertiseMsg (NetworkPkg/Dhcp6Dxe/Dhcp6Io.c) библиотеки Tianocore edk2, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 28%
0.00098
Низкий

6.5 Medium

CVSS3