Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Remotely Exploitable ‘PixieFail’ Flaws Found in Tianocore EDK II PXE Implementation

Quarkslab finds serious, remotely exploitable vulnerabilities in EDK II, the de-facto open source reference implementation of the UEFI spec.

Bug hunters at French security research firm Quarkslab have found multiple serious vulnerabilities in EDK II, the de-facto open source reference implementation of the UEFI specification, warning there is a risk of remote code execution attacks.

In a research paper published after a months-long disclosure process, Quarkslab said the vulnerabilities are present in the network stack of EDK II and can be exploited during the network boot process. 

We performed a cursory inspection of NetworkPkg, Tianocore’s EDK II PXE implementation, and identified nine vulnerabilities which can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks,” the company warned.

“The impact of these vulnerabilities include denial of service, information leakage, remote code execution, DNS cache poisoning and network session hijacking,” Quarkslab added.

The vulnerabilities, collectively identified as PixieFAIL, were discovered during what Quarkslab described as a “cursory inspection” of NetworkPkg, which provides drivers and  necessary shell applications for network configuration

In addition to Tianocore’s EDK II UEFI implementation and the NetworkPkg PXE stack, Quarkslab said multiple vendors including Microsoft, Arm, Insyde, Phoenix Technologies and American Megatrends (AMI) are using the vulnerable module.

Quarkslab chief technology officer Ivan Arce said he confirmed the vulnerable code in Microsoft’s Project Mu adaptation of Tianocore’s EDK2. 

Here’s a snapshot of the nine vulnerabilities:

Advertisement. Scroll to continue reading.
  • CVE-2023-45229: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
  • CVE-2023-45230: Buffer overflow in the DHCPv6 client via a long Server ID option
  • CVE-2023-45231: Out of Bounds read when handling a ND Redirect message with truncated options
  • CVE-2023-45232: Infinite loop when parsing unknown options in the Destination Options header
  • CVE-2023-45233: Infinite loop when parsing a PadN option in the Destination Options header
  • CVE-2023-45234: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
  • CVE-2023-45235: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
  • CVE-2023-45236: Predictable TCP Initial Sequence Numbers
  • CVE-2023-45237: Use of a Weak PseudoRandom Number Generator

Quarkslab released proof-of-concept code to trigger the first seven vulnerabilities and allow defenders to produce detection signatures to spot infection attempts.

The CERT Coordination Center has published a notice with a list of affected and potentially affected vendors, and guidance to deploy fixes and mitigations. CERT/CC has confirmed that Insyde, AMI, Intel and Phoenix Technologies are impacted, but the status is unknown for many vendors.

*updated with information from CERT/CC

Related: CISA Calls Urgent Attention to UEFI Attack Surfaces

Related: Quarklab Researchers Find Security Defects in TPM 2.0 Spec

Related: Critical Flaw in Google’s Titan M Chip Earns Researchers $75K

Related: LogoFAIL Vulnerabilities Haunt Enterprise, Consumer Devices

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.