Bug 1218882 (CVE-2023-45232)

Summary: VUL-0: CVE-2023-45232: edk2, ovmf: Infinite loop when parsing unknown options in the Destination Options header
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Joey Lee <jlee>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: guillaume.gardet, jlee, meissner, stoyan.manolov
Version: unspecifiedFlags: stoyan.manolov: needinfo? (jlee)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/391380/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-45232:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-17 04:37:19 UTC 
EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This
 vulnerability can be exploited by an attacker to gain unauthorized 
access and potentially lead to a loss of Availability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45232
https://www.cve.org/CVERecord?id=CVE-2023-45232
https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
http://www.openwall.com/lists/oss-security/2024/01/16/2
https://bugzilla.redhat.com/show_bug.cgi?id=2258691