Multiple vulnerabilities [1] [2] [3] [4] [5] [6] [7], collectively known as PixieFail [2] [3] [5] [6], have been discovered in the TCP/IP network protocol stack of the TianoCore EFI Development Kit II (EDK II), an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification [5] [6].
Description
These vulnerabilities, tracked as PixieFAIL [2], affect the NetworkPkg component of the EDK II responsible for network functionalities during the initial Preboot eXecution Environment (PXE) stage [3] [6]. They include integer underflow [2], buffer overflow [2] [4], out-of-bounds read [2] [3] [4] [5] [6], infinite loop [2] [3] [4] [5] [6], and weak pseudorandom number generator (PRNG) issues [2] [3] [4] [5] [6]. Exploiting these vulnerabilities during the network boot process allows remote attackers on the same local network or on remote networks to achieve remote code execution, denial-of-service (DoS) attacks [2] [3] [5] [6], DNS cache poisoning [1] [2] [3] [5] [6] [7], and leakage of sensitive information [2] [3] [5] [6] [7].
The most severe vulnerabilities [1] [7], CVE-2023-45230 and CVE-2023-45235 [1] [3] [5] [6], allow for remote code execution and potential system compromise [1]. The impact and exploitability of these vulnerabilities depend on the firmware build and the default PXE boot configuration [2] [3].
The affected software includes Arm’s reference solutions [4], Microsoft’s Project Mu [4], Insyde Software’s Insyde H20 UEFI BIOS [4], Phoenix Technologies’ SecureCore [1] [3] [4] [5] [6] [7], and American Megatrends’ Aptio OpenEdition [4]. Google has confirmed that its Chromebooks are not impacted [1]. Proof-of-concept code has been published to aid in the detection of these vulnerabilities [7]. The vulnerabilities have been identified in implementations from American Megatrends (AMI) [7], Insyde Software [1] [4] [7], Intel [1] [3] [5] [6] [7], and Phoenix Technologies [1] [3] [4] [5] [6] [7]. Insyde Software [1] [4] [7], AMI [1] [3] [5] [6] [7], and Phoenix Technologies have already released fixes [7], while other vendors [7], including Google [7], HP [7], Microsoft [1] [4] [7], and Cisco [7], are still investigating [7].
The initial disclosure of these vulnerabilities was made to CERT/CC on August 3, 2023, and the disclosure deadline has been extended multiple times [1]. Most vendor patches are currently in a testing phase [1], and TianoCore has provided fixes for the first seven vulnerabilities [1]. Mitigating and remediating these vulnerabilities is challenging due to their early stage in the software and hardware interactions. The CERT Coordination Center (CERT/CC) has also published an advisory about these vulnerabilities [2], stating that an attacker within the local network or remotely could exploit these weaknesses to execute remote code [2] [3], initiate DoS attacks [2] [3], conduct DNS cache poisoning [1] [2] [3] [6] [7], or extract sensitive information [2] [3] [5]. CERT/CC has also provided a comprehensive list of affected vendors and guidance to mitigate the issues [2].
Conclusion
These vulnerabilities pose significant risks, including remote code execution [1] [2] [3] [5] [6] [7], system compromise [1], denial of service [1] [6] [7], information disclosure [1], DNS cache poisoning [1] [2] [3] [5] [6] [7], and network session hijacking [1] [2] [7]. While some vendors have already released fixes, others are still investigating [7]. Mitigating and remediating these vulnerabilities is challenging, and the CERT Coordination Center (CERT/CC) has provided guidance to affected vendors. The impact and exploitability of these vulnerabilities depend on the firmware build and configuration [3], highlighting the importance of thorough testing and security measures in the software and hardware interactions.
References
[1] https://ciso2ciso.com/pixiefail-flaws-impact-pxe-network-boot-in-enterprise-systems-source-www-bleepingcomputer-com/
[2] https://f5.pm/go-216462.html
[3] https://owasp.or.id/2024/01/18/pixiefail-uefi-flaws-expose-millions-of-computers-to-rce-dos-and-data-theft/
[4] https://securityboulevard.com/2024/01/pixiefail-bugs-in-uefi-open-source-implementation-threaten-computers/
[5] https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.html
[6] https://vulners.com/thn/THN:ABAFDCDE6A3F94C626855FB15991C36B
[7] https://www.itnews.com.au/news/ubiquitous-uefi-implementation-has-serious-vulnerabilities-604126
