Bug hunters at French security research firm Quarkslab have found multiple serious vulnerabilities in EDK II, the de-facto open source reference implementation of the UEFI specification, warning there is a risk of remote code execution attacks.
In a research paper published after a months-long disclosure process, Quarkslab said the vulnerabilities are present in the network stack of EDK II and can be exploited during the network boot process.
We performed a cursory inspection of NetworkPkg, Tianocore’s EDK II PXE implementation, and identified nine vulnerabilities which can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks,” the company warned.
“The impact of these vulnerabilities include denial of service, information leakage, remote code execution, DNS cache poisoning and network session hijacking,” Quarkslab added.
The vulnerabilities, collectively identified as PixieFAIL, were discovered during what Quarkslab described as a “cursory inspection” of NetworkPkg, which provides drivers and necessary shell applications for network configuration
In addition to Tianocore’s EDK II UEFI implementation and the NetworkPkg PXE stack, Quarkslab said multiple vendors including Microsoft, Arm, Insyde, Phoenix Technologies and American Megatrends (AMI) are using the vulnerable module.
Quarkslab chief technology officer Ivan Arce said he confirmed the vulnerable code in Microsoft’s Project Mu adaptation of Tianocore’s EDK2.
Here’s a snapshot of the nine vulnerabilities:
- CVE-2023-45229: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
- CVE-2023-45230: Buffer overflow in the DHCPv6 client via a long Server ID option
- CVE-2023-45231: Out of Bounds read when handling a ND Redirect message with truncated options
- CVE-2023-45232: Infinite loop when parsing unknown options in the Destination Options header
- CVE-2023-45233: Infinite loop when parsing a PadN option in the Destination Options header
- CVE-2023-45234: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
- CVE-2023-45235: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
- CVE-2023-45236: Predictable TCP Initial Sequence Numbers
- CVE-2023-45237: Use of a Weak PseudoRandom Number Generator
Quarkslab released proof-of-concept code to trigger the first seven vulnerabilities and allow defenders to produce detection signatures to spot infection attempts.
The CERT Coordination Center has published a notice with a list of affected and potentially affected vendors, and guidance to deploy fixes and mitigations. CERT/CC has confirmed that Insyde, AMI, Intel and Phoenix Technologies are impacted, but the status is unknown for many vendors.
*updated with information from CERT/CC