Endpoint Security , Hardware / Chip-level Security

Critical PixieFail Flaws Threaten UEFI Firmware

Flaws Exploit IPv6 Network Boot Specification
Critical PixieFail Flaws Threaten UEFI Firmware
UEFI has replaced BIOS as computer boot-up firmware. (Image: Shutterstock)

Multiple vulnerabilities in a widely used open-source implementation of the Unified Extensible Firmware Interface specification allow attackers to introduce malware operating at the firmware level.

See Also: Zero Trust: A Global Perspective

The vulnerabilities mainly affect server farms and high-performance computing environments - locations in which a boot server delivers the operating system over the local network. The flaws reside in how a UEFI implementation known as TianoCore EDK II calls the boot server using the IPv6 network protocol.

Difficult to patch and often beyond the reach of endpoint security systems - but a miniature operating system in its own right - UEFI is attracting mounting attention from researchers and hackers. UEFI flaws are prized by attackers since the specification is ubiquitous across x86 personal computers and servers, and a firmware infection will mostly survive attempts to purge it using operating system-level antivirus software.

The U.S. federal government last August urged computer manufacturers to improve UEFI security, suggesting that systems owners be able to audit and manage UEFI components as they do other computer software (see: US CISA Urges Improvements to Key Computer Component).

Researchers from Quarkslab wrote in a Jan. 6 blog post that a nonexhaustive list of affected vendors includes chipmaker Arm, Microsoft through its firmware-as-a-service effort, Project Mu and the EDK II implementation maintained by Phoenix Technologies.

The researches dubbed the flaws PixieFail, a play on the pronunciation of the Preboot Execution Environment - or PXE - specification in UEFI for network boot.

Quarkslab Chief Research Officer Ivan Arce told Ars Technica that an attacker wouldn't need physical access to the client computer or boot server. "The attacker just needs to have access to the network where all these systems are running and it needs to have the ability to capture packets and to inject packets or transmit packets," he said.

A spokesperson for UEFI Forum told Information Security Media Group that the vulnerabilities in question have already been addressed and fixed in the EDK II open-source project.

"If issues remain in vendor-specific implementations, derived from EDK II or not, then those vendors are in the best position to comment on why products they support might still be vulnerable, if that is the case," the spokesperson said.

PixieFail encompasses nine flaws within the UEFI network protocol stack, known as NetworkPkg. The vulnerabilities create diverse exploits, including remote code execution, denial-of-service attacks, DNS cache poisoning and the unauthorized leakage of sensitive information.

One PixieFail flaw, tracked as CVE-2023-45229, could be exploited to crash a system because the UEFI implementation didn't check for minimum byte length when parsing the advertise response for the dynamic host configuration protocol server responding to the PXE initial solicit message.

Another flaw, tracked as CVE-2023-45230, could result in a buffer overflow by configuring the DHCP server to respond to a follow-up request message with a malicious server ID. EDK II again fully trusted the DHCP server response, Quarkslab wrote.

Technical Details

The PXE facilitates network booting by allowing a client system to locate, download and execute code from a network server.

The process involves multiple stages, starting with a minimal program - Network Bootstrap Program or NBP - downloaded via a simple protocol such as TFTP. The PXE client relies on a DHCP server to configure its network interface and obtain a list of boot servers for the NBP file.

To avoid modifying operational DHCP servers, the specification splits regular DHCP- and PXE-related functionality into two separate services.

Enabling the PXE environment allows machines to boot through network connectivity, removing the necessity for physical interaction or keyboard access. Primarily used in larger data centers, PXE plays a crucial role in automating early boot phases, especially in high-performance computing environments.

The PXE client selects a boot server, communicates with it using the DHCP protocol, obtains necessary parameters, downloads the NBP and executes it. PXE over IPv6 uses DHCPv6 and TFTP, requiring IPv6 and UDP at layers 3 and 4. The process may involve DNS for resolving boot server hostnames provided by the DHCP server.

The flaws are:

  • CVE-2023-45229 - CVSS score: 6.5 - This vulnerability involves an integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message.
  • CVE-2023-45230 - CVSS score: 8.3 - The flaw is a buffer overflow in the DHCPv6 client caused by a lengthy Server ID option.
  • CVE-2023-45231 - CVSS score: 6.5 - This vulnerability results in an out-of-bounds read when handling an ND Redirect message with truncated options.
  • CVE-2023-45232 - CVSS score: 7.5 - An infinite loop occurs when parsing unknown options in the Destination Options header.
  • CVE-2023-45233 - CVSS score: 7.5 - An infinite loop is triggered when parsing a PadN option in the Destination Options header.
  • CVE-2023-45234 - CVSS score: 8.3 - The issue involves a buffer overflow when processing the DNS Servers option in a DHCPv6 Advertise message.
  • CVE-2023-45235 - CVSS score: 8.3 - A buffer overflow occurs when handling the Server ID option from a DHCPv6 proxy Advertise message.
  • CVE-2023-45236 - CVSS score: 5.8 - This vulnerability exposes predictable TCP Initial Sequence Numbers.
  • CVE-2023-45237 - CVSS score: 5.3 - The flaw involves the use of a weak pseudorandom number generator.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.