CVE-2023-45230
📋 TL;DR
EDK2's Network Package has a buffer overflow vulnerability in the DHCPv6 client when processing long server ID options. Attackers on the same network can exploit this to execute arbitrary code or cause denial of service. This affects systems using EDK2 firmware with DHCPv6 enabled, including servers, workstations, and embedded devices.
💻 Affected Systems
- EDK2 (UEFI Development Kit)
- Systems using EDK2-based firmware
- Various UEFI implementations
📦 What is this software?
Edk2 by Tianocore
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with firmware-level privileges leading to complete system compromise, persistent malware installation, or bricking of hardware.
Likely Case
System crash/reboot causing denial of service, or limited code execution within firmware context.
If Mitigated
Denial of service only if exploit attempts are blocked or contained by network segmentation.
🎯 Exploit Status
Proof-of-concept code is publicly available as part of PixieFail research. Exploitation requires network access to send malicious DHCPv6 packets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EDK2 commit 0b975d2 and later
Vendor Advisory: https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
Restart Required: Yes
Instructions:
1. Update EDK2 firmware to version containing commit 0b975d2 or later. 2. Check with hardware vendor for firmware updates. 3. Apply firmware update following vendor instructions. 4. Reboot system to activate new firmware.
🔧 Temporary Workarounds
Disable DHCPv6 in UEFI/BIOS
allDisable DHCPv6 client functionality in system firmware settings
Network segmentation and filtering
allSegment networks and filter DHCPv6 traffic to prevent malicious packets from reaching vulnerable systems
🧯 If You Can't Patch
- Segment vulnerable systems on isolated network segments
- Implement network monitoring for abnormal DHCPv6 traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check EDK2 version or firmware date; systems with firmware dated before 2024-01-16 are likely vulnerable. Check with 'dmidecode' or firmware settings for version info.Check Version:
dmidecode -t bios | grep -i versionVerify Fix Applied:
Verify firmware version includes EDK2 commit 0b975d2 or later. Check firmware update logs for successful application.📡 Detection & Monitoring
Log Indicators:
- System crashes or reboots without clear cause
- Firmware/UEFI error messages
- DHCPv6 server logs showing malformed requests
Network Indicators:
- Unusual DHCPv6 traffic with oversized server ID options
- DHCPv6 packets from unexpected sources
SIEM Query:
source="dhcpv6" AND (option_length>normal OR packet_size>threshold)🔗 References
- http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
- http://www.openwall.com/lists/oss-security/2024/01/16/2
- https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJ42V7O7F4OU6R7QSQQECLB6LDHKZIMQ/
- https://security.netapp.com/advisory/ntap-20240307-0011/
- http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
- http://www.openwall.com/lists/oss-security/2024/01/16/2
- https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
- https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJ42V7O7F4OU6R7QSQQECLB6LDHKZIMQ/
- https://security.netapp.com/advisory/ntap-20240307-0011/
- https://www.kb.cert.org/vuls/id/132380
