From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 71004AC1B6E for ; Wed, 15 May 2024 21:38:56 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=vHDVN3B5nDfguCmn+sV/pYX+xuKD7gf68z97x5O9WDg=; c=relaxed/simple; d=groups.io; h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20240206; t=1715809134; v=1; b=CO+m0+05tc/xceiXeVrzAfP5MRUMZhnuAgowu0Je2hfBPh+z9WQZqkr+Cwwsb6wUuvL8c5vq Rfzr/RCIzn6HqUHAexJhPmXDLkE3j6dablLh1fmEXj7Z2Wz6M9w2+oMNukSgDk7ABMAdfEcEtnc rxvMVsVqzeXUsEIpOxHjIlbo7HVwgXGFYblYUAZeOrLvi8jc2+nXbGhkkR4nD0BUOFZNAI7lGT9 5HWvzohLySZkhU7AOKk/YeuzWM5jX9/1cAktWdTmDuljGXHYNbfitXF79xgtaTfDsuJ+rHChJdW avtdaxGzuam3fY8IDurfakKAPQ+e8gDNCoiBkMxfB0VNg== X-Received: by 127.0.0.2 with SMTP id 6i9vYY7687511xh405Dxk7AM; Wed, 15 May 2024 14:38:54 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10]) by mx.groups.io with SMTP id smtpd.web10.6420.1715809133672672539 for ; Wed, 15 May 2024 14:38:53 -0700 X-CSE-ConnectionGUID: mSoRFb/ZRyCPb6bXUEL3fA== X-CSE-MsgGUID: to4KGDFESj2DDW52c0s9BA== X-IronPort-AV: E=McAfee;i="6600,9927,11074"; a="29377125" X-IronPort-AV: E=Sophos;i="6.08,162,1712646000"; d="scan'208";a="29377125" X-Received: from orviesa005.jf.intel.com ([10.64.159.145]) by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 May 2024 14:38:52 -0700 X-CSE-ConnectionGUID: U0GdI/3rT1upUHZo/1GjhA== X-CSE-MsgGUID: GoDGghelQJq356RVB8nPxw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,162,1712646000"; d="scan'208";a="35976006" X-Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orviesa005.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 15 May 2024 14:38:53 -0700 X-Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 15 May 2024 14:38:52 -0700 X-Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Wed, 15 May 2024 14:38:51 -0700 X-Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39 via Frontend Transport; Wed, 15 May 2024 14:38:51 -0700 X-Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.41) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 15 May 2024 14:38:51 -0700 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20) by SN7PR11MB7019.namprd11.prod.outlook.com (2603:10b6:806:2ae::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.55; Wed, 15 May 2024 21:38:48 +0000 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::e4c6:587d:ede3:2f85]) by SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::e4c6:587d:ede3:2f85%5]) with mapi id 15.20.7544.052; Wed, 15 May 2024 21:38:48 +0000 From: "Saloni Kasbekar" To: Doug Flick , "devel@edk2.groups.io" CC: "Clark-williams, Zachary" Subject: Re: [edk2-devel] [PATCH v2 09/13] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Thread-Topic: [PATCH v2 09/13] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Thread-Index: AQHaodW9cVJ2BmiUdEecES82Na7Kr7GY276w Date: Wed, 15 May 2024 21:38:48 +0000 Message-ID: References: <20240509055633.828642-1-doug.edk2@gmail.com> <20240509055633.828642-10-doug.edk2@gmail.com> In-Reply-To: <20240509055633.828642-10-doug.edk2@gmail.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|SN7PR11MB7019:EE_ x-ms-office365-filtering-correlation-id: 827f1865-cc77-4b1f-a1f7-08dc752767af x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: =?us-ascii?Q?J5kfZVAPxF8E2Fd9rHRlFARwCjX7iml52UwfEJL7IW+FeK59LOmNtai7/W5i?= =?us-ascii?Q?8NBc4PdCMBVhRqVlfKvn4qWTKFaggxdHnOTnq9DbaJ327ULbiIoQpRSnUuUC?= =?us-ascii?Q?Q2MZmHkA1xqlPGIbBP1GiufuM2sbYL8/snxwSKGRkPaCfZSEKikvhQleQcAc?= =?us-ascii?Q?M/p78AyPbFVcwkwCiqAVUaoe5sb8UOGsIcQZIST/RVO+xy5WsH9YNbfsPYhe?= =?us-ascii?Q?8DtyzRsUfiaKajJrgAs2guDQWIYYGHuKqysUQHn8//f9iXqDhj3XI//33xvZ?= =?us-ascii?Q?NNK9D8m5jqquaQ9w6M87cODP/strK3vxXx5Lox0JJ8q6TpiPBY+wr1jvftWD?= =?us-ascii?Q?SAbzyOls0a5ySnOI7/tJsGNPIE1FKqJBPWLQTm6dRtDqXtMmhmc8vvmz2Wt8?= =?us-ascii?Q?OrOmBrKl3xuT12azv0lN5DYIK0VG+WBekIGtya0h8K2iE8SJoZk9UJ2PxOLi?= =?us-ascii?Q?w1zHKoFM8IAguGfgR9UMJG2waudDivP02R/qG+p7i7FrcrIeWjBrJDohd8pC?= =?us-ascii?Q?Oy4ziA9PJNICrlWNhEGshyX7BENuWL0aQ6fhz+wcIzrWIZ50HJdYFGTJ7uZn?= =?us-ascii?Q?aD24gwqKL63wbc1c0D43fkfXXyDlihMcG1LQaxH8Sx9Fbti0eejho2U4fRJD?= =?us-ascii?Q?pZXXpkPpxZOCnX3U07bp5S6xAgVS2RT43UD2se+02hLNRTb/g7na+eEaFLNa?= =?us-ascii?Q?4Ve+GnzvkIlBTVISIwRU9k4EUjlBVj8nQQ2BG1Qsbnvyo8oahNMgLT7OWDXk?= =?us-ascii?Q?8+8h+bfr+bXKcaBuBLuyRzKmCvnTUR6yEpFMrrWYgkIStfw3wpIvlbTz2AjQ?= =?us-ascii?Q?Fwdl3+/pg6vEMiBgNUqPzdFJIA5Mr6HRWIirLVQkhCGrlnENXVAcSRW7/CYg?= =?us-ascii?Q?GQQhS99F1ATBMzQeqAw4uOfqWdHVCtvIFMmAJVMYXsOBMRaBOUf5Djh9CRCi?= =?us-ascii?Q?ootADMrrMLPs9dEwAXa99shlK43kiP0KbbnDlh6j16LBZUZyd3DpsVdKHY2G?= =?us-ascii?Q?1CllNvCv++GM7NrDgUzFqKDWxMMB1TdxfxgdaP0+/dCVmcK2qPv5hgufLJPz?= =?us-ascii?Q?s3GyjgvY//HhyCWqgDiboYqbWOmg8r2nWvBO/bUARZjzFGyoSjJoE18BLcaT?= =?us-ascii?Q?pnMXTOAW71pRmOL56yFPgNc7VqujrdqkOYNWP/+ySyNxWNGBbLw+oKpMezuY?= =?us-ascii?Q?h8aqZ7d7dR/2flpU+T6v7FWJ3oX9taHwoclLTvFKHgpuyLWivyCzMZyxcBHq?= =?us-ascii?Q?1H+qq9UvFOTLohLHjwsTBxOVBoW1thuIuWCzy8T0NIyakGRFJs/Zi1oR7pn3?= =?us-ascii?Q?KLE=3D?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?zmHWNP1FJ4VM+cP3W+rv7ubM0Es5L53bQJCGSj2z0EGl0KU0hWql87OeZiiJ?= =?us-ascii?Q?IqyZujjF/xvU82KWhPr2xaBhv47lSemp7W/D5P66Xz/FgLJy+dpMQYCeByNO?= =?us-ascii?Q?TIS5S/SeLPbURd7SVcXa0uNfs/pmEytKI+KIQDb3UHcgWa8zbeMheC4CzRs1?= =?us-ascii?Q?XUxb5yHlnkTKOMXtfjB9jLuFLCwETfrFcM2gwm6QzBXYHNtx30YKy2BrJmYI?= =?us-ascii?Q?93Srf1ySogEOsyOGzLdd4RauRskfdasIgXHvGm0YwDiFKg7cTM9QdnAooYEx?= =?us-ascii?Q?aaVeVu2VE/HVgKPRbbsvnj/8XAj8Ue25mFHqv2jjdScwkFd4XYsOno99eoVI?= =?us-ascii?Q?Ue+KREUGN2srzMN4CsquVnASGRob8P6hAXHnJmeczyFgL3nReTZrsgUV8dkN?= =?us-ascii?Q?9XLmOnLcZYt7j+xQbzA9EIVoSvQXgWpVPHRKsbvlei37DJ0/qGPFuSlqcYzp?= =?us-ascii?Q?zZmiGdZxpSJXPXWsF6ghOHKlsDcfD8gZBzTxVIwAizubqtxB9Y2Y4yqeJf22?= =?us-ascii?Q?qTYOMVAAFKc2FKqbniwVCiMlEXl9uXg5e5heYlGjQ2nupwCWBuqxIKeOpuIA?= =?us-ascii?Q?BpWiZcuSa7pbGT0eNgAYV66xiZRqHvMTyoI5frXYmz7r7sCnhN9cvqSyUKR1?= =?us-ascii?Q?ktDbxGMAaiuxD4xH2kl6rIPYtATV8/94FV/FxE1Un0ttOIL/yJ6pFghSxetr?= =?us-ascii?Q?JfSyAihLTTIql3ZgTbGUVSgsPR1BpsF6l62ONrmZx4cBCDqyKBZx2oMx2zGP?= =?us-ascii?Q?KfFYIfSJHwzLexwu4hGxSJI/ay+l3Qny9fOyx73q+EuG6jEb3+iRet6EDdvp?= =?us-ascii?Q?nGNQmlk1DGJkmknHpIRa0BtJOcRCXMjcHbwXrFBJYMeHDz1oeKmyvpMhbwND?= =?us-ascii?Q?vM+Kto+Z5Yj6DQh2eBI5WTIEH61qx/WoTrwTDddkANDv0ISXoaSUtTBmIahw?= =?us-ascii?Q?vyvwBTPicJ1QhWQjIicIJjSIA1WuesYnGG6BmZfFW4Z7z1QmMrJuD3tTMzWy?= =?us-ascii?Q?8yz7cogUCzyZTT7EOltNZ3oDPpUuRPXELIK95vVcR9n5auGu2umtp1EFSBIp?= =?us-ascii?Q?S1mu/92vreTLAN8mHJxCcZ0o4hfgevKKoh2zhOzLQNC5+U+3+V+VlJSyLiGU?= =?us-ascii?Q?yvSTueh9Y56I+9tk3vIDsdobebk/sxTuArAlEWwBN5Xf9ihFEYZY1AscDFsw?= =?us-ascii?Q?abWuroJHQO9P9VdEQCPl2964ph/13W1SVmPr4zTSno+mSn2Hyy1jd5yZGTKx?= =?us-ascii?Q?0IAF2eCe/6lipMWf2KB0bWXFkyGmCKaqHuIrCpMfwxqE/MrwYOFljN6FfA/a?= =?us-ascii?Q?LENO0/Km8VoCBhoiVh/t2cRurI6ukkv5Z1tt/sR93jWa4E/fKr8WQMjkSlL4?= =?us-ascii?Q?ghLCZPOncokGcWS9qkwe52bRXr9LO9/zPB1sDASlIpOfyZD8iICMo1ADyk9m?= =?us-ascii?Q?TL++ypUikrRqMwunyS/TpvaJam4ATLal7NuIMu1lQTFMp4/7iPfv02KU66q9?= =?us-ascii?Q?527GMsA+Z3Vl7N444p9Mr+NDa+ZM3Sdc58zwkaeuIApK8SBFlnW18DikK0/+?= =?us-ascii?Q?DZ5X9D+qWrttVc2PwnP6+pk8IbPwVGUGZonzB6nU?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 827f1865-cc77-4b1f-a1f7-08dc752767af X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2024 21:38:48.2930 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ZmK5cKWkAZEaM7kq/CSCQhv13+xysyTKozWMclQ4qA6TnOkGZ12JMRMrpcYxr5CiiOMmEZwHSNIsa5eh/yB04QKnX8yWoUjrsZ8A2hQUyXg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR11MB7019 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Wed, 15 May 2024 14:38:53 -0700 Resent-From: saloni.kasbekar@intel.com Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: ciCpmGPsQLMipB9AwZZmBj07x7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=CO+m0+05; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io Doug, I see you have used Hash2Protocol here, instead of HashLib. Is there an adv= antage of using Hash2Protocol over HashLib? Thanks, Saloni -----Original Message----- From: Doug Flick =20 Sent: Wednesday, May 8, 2024 10:56 PM To: devel@edk2.groups.io Cc: Kasbekar, Saloni ; Clark-williams, Zachary <= zachary.clark-williams@intel.com> Subject: [PATCH v2 09/13] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 From: Doug Flick REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4541 REF: https://www.rfc-editor.org/rfc/rfc1948.txt REF: https://www.rfc-editor.org/rfc/rfc6528.txt REF: https://www.rfc-editor.org/rfc/rfc9293.txt Bug Overview: PixieFail Bug #8 CVE-2023-45236 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Updates TCP ISN generation to use a cryptographic hash of the connection's = identifying parameters and a secret key. This prevents an attacker from guessing the ISN used for some other connect= ion. This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293. RFC: 9293 Section 3.4.1. Initial Sequence Number Selection A TCP implementation MUST use the above type of "clock" for clock- driven selection of initial sequence numbers (MUST-8), and SHOULD generate its initial sequence numbers with the expression: ISN =3D M + F(localip, localport, remoteip, remoteport, secretkey) where M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the connection's identifying parameters ("localip, localport, remoteip, remoteport") and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or an attacker could still guess at sequence numbers from the ISN used for some other connection. The PRF could be implemented as a cryptographic hash of the concatenation of the TCP connection parameters and some secret data. For discussion of the selection of a specific hash algorithm and management of the secret key data, please see Section 3 of [42]. For each connection there is a send sequence number and a receive sequence number. The initial send sequence number (ISS) is chosen by the data sending TCP peer, and the initial receive sequence number (IRS) is learned during the connection-establishing procedure. For a connection to be established or initialized, the two TCP peers must synchronize on each other's initial sequence numbers. This is done in an exchange of connection-establishing segments carrying a control bit called "SYN" (for synchronize) and the initial sequence numbers. As a shorthand, segments carrying the SYN bit are also called "SYNs". Hence, the solution requires a suitable mechanism for picking an initial sequence number and a slightly involved handshake to exchange the ISNs. Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/TcpDxe/TcpDxe.inf | 8 +- NetworkPkg/TcpDxe/TcpFunc.h | 23 +- NetworkPkg/TcpDxe/TcpMain.h | 59 ++++- NetworkPkg/TcpDxe/TcpDriver.c | 92 +++++++- NetworkPkg/TcpDxe/TcpInput.c= | 13 +- NetworkPkg/TcpDxe/TcpMisc.c | 242 ++++++++++++++++++-- NetworkPkg/TcpDxe/TcpTimer.c | 3 +- NetworkPkg/SecurityFixes.yaml | 22 ++ 8 files changed, 414 insertions(+), 48 deletions(-) diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf in= dex cf5423f4c537..76de4cf9ec3d 100644 --- a/NetworkPkg/TcpDxe/TcpDxe.inf +++ b/NetworkPkg/TcpDxe/TcpDxe.inf @@ -6,6 +6,7 @@ # stack has been loaded in system. This driver supports both IPv4 and IPv= 6 network stack. # # Copyright (c) 2009 - 2018, Intel Corporation. All rig= hts reserved.
+# Copyright (c) Microsoft Corporation # # SPDX-License-= Identifier: BSD-2-Clause-Patent #@@ -68,7 +69,6 @@ [LibraryClasses] NetLib IpIoLib - [Protocols] ## SOMETIMES_CONSUMES ## SOMETIMES_PR= ODUCES@@ -81,6 +81,12 @@ [Protocols] gEfiIp6ServiceBindingProtocolGuid ## TO_START gEfiTcp6Prot= ocolGuid ## BY_START gEfiTcp6ServiceBindingProto= colGuid ## BY_START+ gEfiHash2ProtocolGuid = ## BY_START+ gEfiHash2ServiceBindingProtocolGuid ## BY_START= ++[Guids]+ gEfiHashAlgorithmMD5Guid ## CONSUMES+ gEf= iHashAlgorithmSha256Guid ## CONSUMES [Depex] gEfiHash2= ServiceBindingProtocolGuiddiff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/Networ= kPkg/TcpDxe/TcpFunc.h index a7af01fff246..c707bee3e548 100644 --- a/NetworkPkg/TcpDxe/TcpFunc.h +++ b/NetworkPkg/TcpDxe/TcpFunc.h @@ -2,7 +2,7 @@ Declaration of external functions shared in TCP driver. Copyright (c)= 2009 - 2014, Intel Corporation. All rights reserved.
-+ Copyright (c) = Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@@= -36,8 +36,11 @@ VOID @param[in, out] Tcb Pointer to the TCP_CB of this TCP in= stance. + @retval EFI_SUCCESS The operation completed successf= ully+ @retval others The underlying functions failed and = could not complete the operation+ **/-VOID+EFI_STATUS TcpInitTcbLocal ( I= N OUT TCP_CB *Tcb );@@ -128,17 +131,6 @@ TcpCloneTcb ( IN TCP_CB *Tcb ); -/**- Compute an ISS to be used by a new connectio= n.-- @return The result ISS.--**/-TCP_SEQNO-TcpGetIss (- VOID- );- /** = Get the local mss. @@ -202,8 +194,11 @@ TcpFormatNetbuf ( @param[in, out] Tcb Pointer to the TCP_CB that wants to initia= te a connection. + @retval EFI_SUCCESS = The operation completed successfully+ @retval others = The underlying functions failed and could not complete the operation+ = **/-VOID+EFI_STATUS TcpOnAppConnect ( IN OUT TCP_CB *Tcb );diff --git = a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h index c0c9b7f46ebe..4d5566ab9379 100644 --- a/NetworkPkg/TcpDxe/TcpMain.h +++ b/NetworkPkg/TcpDxe/TcpMain.h @@ -3,7 +3,7 @@ It is the common head file for all Tcp*.c in TCP driver. Copyright (c= ) 2009 - 2016, Intel Corporation. All rights reserved.
-+ Copyright (c)= Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent **/@= @ -13,6 +13,7 @@ #include #include += #include #include #include #include @@ -31,7 +32,7 @@ extern EFI_= UNICODE_STRING_TABLE *gTcpControllerNameTable; extern LIST_ENTRY mTcpRunQue; extern LIST_ENTRY mTcpListenQue;-extern T= CP_SEQNO mTcpGlobalIss;+extern TCP_SEQNO mTcpGlobalSecret; extern UINT3= 2 mTcpTick; ///@@ -45,14 +46,6 @@ extern UINT32 mTcpTick; #define TCP_EXPIRE_TIME 65535 -///-/// The implementation selects the in= itial send sequence number and the unit to-/// be added when it is increase= d.-///-#define TCP_BASE_ISS 0x4d7e980b-#define TCP_ISS_INCREMENT_1 = 2048-#define TCP_ISS_INCREMENT_2 100- typedef union { EFI_TCP4_CONFIG_D= ATA Tcp4CfgData; EFI_TCP6_CONFIG_DATA Tcp6CfgData;@@ -774,4 +767,50= @@ Tcp6Poll ( IN EFI_TCP6_PROTOCOL *This ); +/**+ Retrieves the Initial Sequence N= umber (ISN) for a TCP connection identified by local+ and remote IP addres= ses and ports.++ This method is based on https://datatracker.ietf.org/doc/= html/rfc9293#section-3.4.1+ Where the ISN is computed as follows:+ ISN = =3D TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)++ Ot= herwise:+ ISN =3D M + F(localip, localport, remoteip, remoteport, secret= key)++ "Here M is the 4 microsecond timer, and F() is a pseudorandom fun= ction (PRF) of the+ connection's identifying parameters ("localip, local= port, remoteip, remoteport")+ and a secret key ("secretkey") (SHLD-1). F= () MUST NOT be computable from the+ outside (MUST-9), or an attacker cou= ld still guess at sequence numbers from the+ ISN used for some other con= nection. The PRF could be implemented as a+ cryptographic hash of the co= ncatenation of the TCP connection parameters and some+ secret data. For = discussion of the selection of a specific hash algorithm and+ management= of the secret key data."++ @param[in] LocalIp A pointer to t= he local IP address of the TCP connection.+ @param[in] LocalIpSize = The size, in bytes, of the LocalIp buffer.+ @param[in] LocalPort = The local port number of the TCP connection.+ @param[in] RemoteI= p A pointer to the remote IP address of the TCP connection.+ @param[= in] RemoteIpSize The size, in bytes, of the RemoteIp buffer.+ @par= am[in] RemotePort The remote port number of the TCP connection.+ = @param[out] Isn A pointer to the variable that will receiv= e the Initial+ Sequence Number (ISN).++ @= retval EFI_SUCCESS The operation completed successfully, and th= e ISN was+ retrieved.+ @retval EFI_INVALI= D_PARAMETER One or more of the input parameters are invalid.+ @retval EF= I_UNSUPPORTED The operation is not supported.++**/+EFI_STATUS+TcpGe= tIsn (+ IN UINT8 *LocalIp,+ IN UINTN LocalIpSize,+ IN UINT16= LocalPort,+ IN UINT8 *RemoteIp,+ IN UINTN RemoteIpSize,= + IN UINT16 RemotePort,+ OUT TCP_SEQNO *Isn+ );+ #endifdiff --git = a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c index 8fe6badd687c..40bba4080c87 100644 --- a/NetworkPkg/TcpDxe/TcpDriver.c +++ b/NetworkPkg/TcpDxe/TcpDriver.c @@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding =3D { TcpServiceBindingDestroyChild }; +//+// This is the handle for the Hash2= ServiceBinding Protocol instance this driver produces+// if the platform do= es not provide one.+//+EFI_HANDLE mHash2ServiceHandle =3D NULL;+ /** Cre= ate and start the heartbeat timer for the TCP driver. @@ -165,6 +171,23 @@ = TcpDriverEntryPoint ( EFI_STATUS Status; UINT32 Random; + //+ // Initialize the Secr= et used for hashing TCP sequence numbers+ //+ // Normally this should be = regenerated periodically, but since+ // this is only used for UEFI network= ing and not a general purpose+ // operating system, it is not necessary to= regenerate it.+ //+ Status =3D PseudoRandomU32 (&mTcpGlobalSecret);+ if= (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "%a failed to generate ran= dom number: %r\n", __func__, Status));+ return Status;+ }++ //+ // Ge= t a random number used to generate a random port number+ // Intentionally = not linking this to mTcpGlobalSecret to avoid leaking information about the= secret+ // Status =3D PseudoRandomU32 (&Random); if (EFI_ERROR (Statu= s)) { DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n",= __func__, Status));@@ -207,9 +230,8 @@ TcpDriverEntryPoint ( } //- // Initialize ISS and random port.+ // Initialize the random = port. //- mTcpGlobalIss =3D Random % mTcpGlobalIss; mTcp4RandomPort = =3D (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); mTcp6RandomPort= =3D mTcp4RandomPort; @@ -224,6 +246,8 @@ TcpDriverEntryPoint ( @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6. @retval = EFI_OUT_OF_RESOURCES Failed to allocate some resources.+ @retval EFI_UNS= UPPORTED Service Binding Protocols are unavailable.+ @retval EFI_AL= READY_STARTED The TCP driver is already started on the controller. @re= tval EFI_SUCCESS A new IP6 service binding private was created. = **/@@ -234,11 +258,13 @@ TcpCreateService ( IN UINT8 IpVersion ) {- EFI_STATUS Status;- EFI_GUID = *IpServiceBindingGuid;- EFI_GUID *TcpServiceBindingGuid;- = TCP_SERVICE_DATA *TcpServiceData;- IP_IO_OPEN_DATA OpenData;+ EFI_STA= TUS Status;+ EFI_GUID *IpServiceBi= ndingGuid;+ EFI_GUID *TcpServiceBindingGuid;+ TCP_SE= RVICE_DATA *TcpServiceData;+ IP_IO_OPEN_DATA Op= enData;+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding;+ EFI_HASH2_P= ROTOCOL *Hash2Protocol; if (IpVersion =3D=3D IP_VERSION_4) { = IpServiceBindingGuid =3D &gEfiIp4ServiceBindingProtocolGuid;@@ -272,6 = +298,33 @@ TcpCreateService ( return EFI_UNSUPPORTED; } + Status =3D gBS->LocateProtocol (&gEfiHa= sh2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);+ if (EFI_ERROR (Status)) = {+ //+ // If we can't find the Hashing protocol, then we need to crea= te one.+ //++ //+ // Platform is expected to publish the hash serv= ice binding protocol to support TCP.+ //+ Status =3D gBS->LocateProto= col (+ &gEfiHash2ServiceBindingProtocolGuid,+ = NULL,+ (VOID **)&Hash2ServiceBinding+ = );+ if (EFI_ERROR (Status) || (Hash2ServiceBinding =3D=3D NULL= ) || (Hash2ServiceBinding->CreateChild =3D=3D NULL)) {+ return EFI_UNS= UPPORTED;+ }++ //+ // Create an instance of the hash protocol for = this controller.+ //+ Status =3D Hash2ServiceBinding->CreateChild (Ha= sh2ServiceBinding, &mHash2ServiceHandle);+ if (EFI_ERROR (Status)) {+ = return EFI_UNSUPPORTED;+ }+ }+ // // Create the TCP service data= . //@@ -423,6 +476,7 @@ TcpDestroyService ( EFI_STATUS Status; LIST_ENTRY = *List; TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Conte= xt;+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; ASS= ERT ((IpVersion =3D=3D IP_VERSION_4) || (IpVersion =3D=3D IP_VERSION_6)); @= @ -439,6 +493,30 @@ TcpDestroyService ( return EFI_SUCCESS; } + //+ // Destroy the Hash2ServiceBinding ins= tance if it is created by Tcp driver.+ //+ if (mHash2ServiceHandle !=3D N= ULL) {+ Status =3D gBS->LocateProtocol (+ &gEfiHash2S= erviceBindingProtocolGuid,+ NULL,+ (V= OID **)&Hash2ServiceBinding+ );+ if (EFI_ERROR (Statu= s) || (Hash2ServiceBinding =3D=3D NULL) || (Hash2ServiceBinding->DestroyChi= ld =3D=3D NULL)) {+ return EFI_UNSUPPORTED;+ }++ //+ // Destr= oy the instance of the hashing protocol for this controller.+ //+ Sta= tus =3D Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2Serv= iceHandle);+ if (EFI_ERROR (Status)) {+ return EFI_UNSUPPORTED;+ = }++ mHash2ServiceHandle =3D NULL;+ }+ Status =3D gBS->OpenProtocol (= NicHandle, ServiceBindingGuid,diff --g= it a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c index 97633a3908be..a5d575ccafeb 100644 --- a/NetworkPkg/TcpDxe/TcpInput.c +++ b/NetworkPkg/TcpDxe/TcpInput.c @@ -724,6 +724,7 @@ TcpInput ( TCP_SEQNO Urg; UINT16 Checksum; INT32 Usable;+ EFI_STA= TUS Status; ASSERT ((Version =3D=3D IP_VERSION_4) || (Version =3D=3D IP= _VERSION_6)); @@ -872,7 +873,17 @@ TcpInput ( Tcb->LocalEnd.Port =3D Head->DstPort; Tcb->RemoteEnd.Port =3D= Head->SrcPort; - TcpInitTcbLocal (Tcb);+ Status =3D TcpInitTcbLo= cal (Tcb);+ if (EFI_ERROR (Status)) {+ DEBUG (+ (DEBUG= _ERROR,+ "TcpInput: discard a segment because failed to init loca= l end for TCB %p\n",+ Tcb)+ );++ goto DISCARD;+ = }+ TcpInitTcbPeer (Tcb, Seg, &Option); TcpSetState (Tcb, T= CP_SYN_RCVD);diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/T= cpMisc.c index c93212d47ded..3310306f639c 100644 --- a/NetworkPkg/TcpDxe/TcpMisc.c +++ b/NetworkPkg/TcpDxe/TcpMisc.c @@ -3,7 +3,7 @@ (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
Copy= right (c) 2009 - 2017, Intel Corporation. All rights reserved.
-+ Copyr= ight (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Pate= nt **/@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue =3D { &mTcpListenQue }; -TCP_SEQNO mTcpGlobalIss =3D TCP_BASE_ISS;+//+// The = Session secret+// This must be initialized to a random value at boot time+/= /+TCP_SEQNO mTcpGlobalSecret;++//+// Union to hold either an IPv4 or IPv6 = address+// This is used to simplify the ISN hash computation+//+typedef uni= on {+ UINT8 IPv4[4];+ UINT8 IPv6[16];+} NETWORK_ADDRESS;++//+// The= ISN is computed by hashing this structure+// It is initialized with the lo= cal and remote IP addresses and ports+// and the secret+//+//+typedef struc= t {+ UINT16 LocalPort;+ UINT16 RemotePort;+ NETW= ORK_ADDRESS LocalAddress;+ NETWORK_ADDRESS RemoteAddress;+ TCP_SEQN= O Secret;+} ISN_HASH_CTX; CHAR16 *mTcpStateName[] =3D { L"TCP_= CLOSED",@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] =3D { @param[in, out] Tcb Pointer to the TCP_CB of this TCP in= stance. + @retval EFI_SUCCESS The operation completed successf= ully+ @retval others The underlying functions failed and = could not complete the operation+ **/-VOID+EFI_STATUS TcpInitTcbLocal ( I= N OUT TCP_CB *Tcb ) {+ TCP_SEQNO Isn;+ EFI_STATUS Status;+ // /= / Compute the checksum of the fixed parts of pseudo header //@@ -57,6 +90= ,16 @@ TcpInitTcbLocal ( 0x06, 0 );+= + Status =3D TcpGetIsn (+ Tcb->LocalEnd.Ip.v4.Addr,+ = sizeof (IPv4_ADDRESS),+ Tcb->LocalEnd.Port,+ = Tcb->RemoteEnd.Ip.v4.Addr,+ sizeof (IPv4_ADDRESS),+ = Tcb->RemoteEnd.Port,+ &Isn+ ); } = else { Tcb->HeadSum =3D NetIp6PseudoHeadChecksum ( = &Tcb->LocalEnd.Ip.v6,@@ -64,9 +107,25 @@ TcpInitTcbLocal ( 0x06, 0 );+= + Status =3D TcpGetIsn (+ Tcb->LocalEnd.Ip.v6.Addr,+ = sizeof (IPv6_ADDRESS),+ Tcb->LocalEnd.Port,+ = Tcb->RemoteEnd.Ip.v6.Addr,+ sizeof (IPv6_ADDRESS),+ = Tcb->RemoteEnd.Port,+ &Isn+ );+ }+= + if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: fai= led to get isn\n"));+ ASSERT (FALSE);+ return Status; } - Tcb->Iss= =3D TcpGetIss ();+ Tcb->Iss =3D Isn; Tcb->SndUna =3D Tcb->Iss; = Tcb->SndNxt =3D Tcb->Iss; @@ -82,6 +141,8 @@ TcpInitTcbLocal ( Tcb->RetxmitSeqMax =3D 0; Tcb->ProbeTimerOn =3D FALSE;++ return EFI_= SUCCESS; } /**@@ -506,18 +567,162 @@ TcpCloneTcb ( } /**- Compute an ISS to be used by a new connection.+ Retrieves the In= itial Sequence Number (ISN) for a TCP connection identified by local+ and = remote IP addresses and ports. - @return The resulting ISS.+ This method = is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1+ W= here the ISN is computed as follows:+ ISN =3D TimeStamp + MD5(LocalIP, L= ocalPort, RemoteIP, RemotePort, Secret)++ Otherwise:+ ISN =3D M + F(loc= alip, localport, remoteip, remoteport, secretkey)++ "Here M is the 4 mic= rosecond timer, and F() is a pseudorandom function (PRF) of the+ connect= ion's identifying parameters ("localip, localport, remoteip, remoteport")+ = and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from= the+ outside (MUST-9), or an attacker could still guess at sequence num= bers from the+ ISN used for some other connection. The PRF could be impl= emented as a+ cryptographic hash of the concatenation of the TCP connect= ion parameters and some+ secret data. For discussion of the selection of= a specific hash algorithm and+ management of the secret key data."++ @= param[in] LocalIp A pointer to the local IP address of the TCP= connection.+ @param[in] LocalIpSize The size, in bytes, of the L= ocalIp buffer.+ @param[in] LocalPort The local port number of t= he TCP connection.+ @param[in] RemoteIp A pointer to the remot= e IP address of the TCP connection.+ @param[in] RemoteIpSize The s= ize, in bytes, of the RemoteIp buffer.+ @param[in] RemotePort Th= e remote port number of the TCP connection.+ @param[out] Isn = A pointer to the variable that will receive the Initial+ = Sequence Number (ISN).++ @retval EFI_SUCCESS = The operation completed successfully, and the ISN was+ = retrieved.+ @retval EFI_INVALID_PARAMETER One or more of t= he input parameters are invalid.+ @retval EFI_UNSUPPORTED The oper= ation is not supported. **/-TCP_SEQNO-TcpGetIss (- VOID+EFI_STATUS+TcpGet= Isn (+ IN UINT8 *LocalIp,+ IN UINTN LocalIpSize,+ IN UINT16 = LocalPort,+ IN UINT8 *RemoteIp,+ IN UINTN RemoteIpSize,+= IN UINT16 RemotePort,+ OUT TCP_SEQNO *Isn ) {- mTcpGlobalIss += =3D TCP_ISS_INCREMENT_1;- return mTcpGlobalIss;+ EFI_STATUS Stat= us;+ EFI_HASH2_PROTOCOL *Hash2Protocol;+ EFI_HASH2_OUTPUT HashResult;= + ISN_HASH_CTX IsnHashCtx;+ EFI_TIME TimeStamp;++ //+ = // Check that the ISN pointer is valid+ //+ if (Isn =3D=3D NULL) {+ r= eturn EFI_INVALID_PARAMETER;+ }++ //+ // The local ip may be a v4 or v6 = address and may not be NULL+ //+ if ((LocalIp =3D=3D NULL) || (LocalIpSiz= e =3D=3D 0) || (RemoteIp =3D=3D NULL) || (RemoteIpSize =3D=3D 0)) {+ ret= urn EFI_INVALID_PARAMETER;+ }++ //+ // the local ip may be a v4 or v6 ad= dress+ //+ if ((LocalIpSize !=3D sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSi= ze !=3D sizeof (EFI_IPv6_ADDRESS))) {+ return EFI_INVALID_PARAMETER;+ }= ++ //+ // Locate the Hash Protocol+ //+ Status =3D gBS->LocateProtocol = (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);+ if (EFI_ERROR (S= tatus)) {+ DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", St= atus));++ //+ // TcpCreateService(..) is expected to be called prior = to this function+ //+ ASSERT_EFI_ERROR (Status);+ return Status;+ = }++ //+ // Initialize the hash algorithm+ //+ Status =3D Hash2Protocol= ->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid);+ if (EFI_ERROR (= Status)) {+ DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorit= hm: %r\n", Status));+ return Status;+ }++ IsnHashCtx.LocalPort =3D Lo= calPort;+ IsnHashCtx.RemotePort =3D RemotePort;+ IsnHashCtx.Secret = =3D mTcpGlobalSecret;++ //+ // Check the IP address family and copy accor= dingly+ //+ if (LocalIpSize =3D=3D sizeof (EFI_IPv4_ADDRESS)) {+ CopyM= em (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize);+ } else if (Loca= lIpSize =3D=3D sizeof (EFI_IPv6_ADDRESS)) {+ CopyMem (&IsnHashCtx.LocalA= ddress.IPv6, LocalIp, LocalIpSize);+ } else {+ return EFI_INVALID_PARAM= ETER; // Unsupported address size+ }++ //+ // Repeat the process for the= remote IP address+ //+ if (RemoteIpSize =3D=3D sizeof (EFI_IPv4_ADDRESS)= ) {+ CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize);+ = } else if (RemoteIpSize =3D=3D sizeof (EFI_IPv6_ADDRESS)) {+ CopyMem (&= IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize);+ } else {+ retu= rn EFI_INVALID_PARAMETER; // Unsupported address size+ }++ //+ // Comput= e the hash+ // Update the hash with the data+ //+ Status =3D Hash2Protoc= ol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx));+= if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_NET, "Failed to update hash: = %r\n", Status));+ return Status;+ }++ //+ // Finalize the hash and re= trieve the result+ //+ Status =3D Hash2Protocol->HashFinal (Hash2Protocol= , &HashResult);+ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_NET, "Failed = to finalize hash: %r\n", Status));+ return Status;+ }++ Status =3D gRT= ->GetTime (&TimeStamp, NULL);+ if (EFI_ERROR (Status)) {+ return Status= ;+ }++ //+ // copy the first 4 bytes of the hash result into the ISN+ /= /+ CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn));++ //+ // now add th= e timestamp to the ISN as 4 microseconds units (1000 / 4 =3D 250)+ //+ *I= sn +=3D (TCP_SEQNO)TimeStamp.Nanosecond * 250;++ return Status; } /**@@ -= 721,17 +926,28 @@ TcpFormatNetbuf ( @param[in, out] Tcb Pointer to the TCP_CB that wants to initia= te a connection. + @retval EFI_SUCCESS = The operation completed successfully+ @retval others = The underlying functions failed and could not complete the operation+ = **/-VOID+EFI_STATUS TcpOnAppConnect ( IN OUT TCP_CB *Tcb ) {- TcpInit= TcbLocal (Tcb);+ EFI_STATUS Status;++ Status =3D TcpInitTcbLocal (Tcb);+= if (EFI_ERROR (Status)) {+ return Status;+ }+ TcpSetState (Tcb, TCP= _SYN_SENT); TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout); = TcpToSendData (Tcb, 1);++ return EFI_SUCCESS; } /**diff --git a/NetworkP= kg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c index 5d2e124977d9..065b1bdf5feb 100644 --- a/NetworkPkg/TcpDxe/TcpTimer.c +++ b/NetworkPkg/TcpDxe/TcpTimer.c @@ -2,7 +2,7 @@ TCP timer related functions. Copyright (c) 2009 - 2010, Intel Corpora= tion. All rights reserved.
-+ Copyright (c) Microsoft Corporation SPD= X-License-Identifier: BSD-2-Clause-Patent **/@@ -483,7 +483,6 @@ TcpTickin= gDpc ( INT16 Index; mTcpTick++;- mTcpGlobalIss +=3D TCP_ISS_INCREMENT= _2; // // Don't use LIST_FOR_EACH, which isn't delete safe.diff --git = a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml index 20a4555019d9..4305328425d0 100644 --- a/NetworkPkg/SecurityFixes.yaml +++ b/NetworkPkg/SecurityFixes.yaml @@ -122,6 +122,28 @@ CVE_2023_45235: - http://www.openwall.com/lists/oss-security/2024/01/16/2 - http:/= /packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html = - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-e= dk-ii-ipv6-network-stack.html+CVE_2023_45236:+ commit_titles:+ - "Netwo= rkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch"+ cve: CVE-2023-45236+ = date_reported: 2023-08-28 13:56 UTC+ description: "Bug 08 - edk2/NetworkP= kg: Predictable TCP Initial Sequence Numbers"+ note:+ files_impacted:+ = - NetworkPkg/Include/Library/NetLib.h+ - NetworkPkg/TcpDxe/TcpDriver.c+= - NetworkPkg/TcpDxe/TcpDxe.inf+ - NetworkPkg/TcpDxe/TcpFunc.h+ - = NetworkPkg/TcpDxe/TcpInput.c+ - NetworkPkg/TcpDxe/TcpMain.h+ - Networ= kPkg/TcpDxe/TcpMisc.c+ - NetworkPkg/TcpDxe/TcpTimer.c+ links:+ - htt= ps://bugzilla.tianocore.org/show_bug.cgi?id=3D4541+ - https://nvd.nist.g= ov/vuln/detail/CVE-2023-45236+ - http://www.openwall.com/lists/oss-secur= ity/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFai= l-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vu= lnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html CVE_2023_45237: = commit_titles: - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"--=20 2.34.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118930): https://edk2.groups.io/g/devel/message/118930 Mute This Topic: https://groups.io/mt/105996585/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-