A chain of 9 vulnerabilities in UEFI’s Preboot Execution Environment (PXE), dubbed PixieFail, was uncovered in a recent research. As the network boot process is a rather novice attack vector, only a few vulnerabilities received high severity status. Nonetheless, their sheer volume, along with the location in rather sensitive places, can create a mess if someone manages to exploit those vulnerabilities in a chain.
Analysts Discover Numerous Vulnerabilities in TianoCore EDK II
The extensive research from Quarklabs uncovers the grand total of nine vulnerabilities present in a widely used UEFI implementation from TianoCore, called EDK II. This open-source variant of unified EFI is seeing particularly large applications in various corporations, both in their own machines and in products. Among other functions, it contains a network boot option and a whole bunch of related functionality, which is where all the vulnerabilities are concentrated.
Network boot itself bears on a Preboot Execution Environment (PXE), often shortened to Pixie boot. This place is, eventually, the host to all nine security flaws. Not all vulnerabilities from PixieFail collection are of the utmost severity, but for 3 of them, NIST assigned the CVSS score of 8.3/10.
List of PixieFail Vulnerabilities
| Vulnerability | Severity score | Description |
|---|---|---|
| CVE-2023-45229 | 6.5 | Out-of-bounds data read with a crafted DHCPv6 Advertise message |
| CVE-2023-45230 | 8.3 | Buffer overflow possibility using a crafted Server ID option |
| CVE-2023-45231 | 6.5 | Out-of-bounds data read with a specifically crafted ND Redirect message |
| CVE-2023-45232 | 7.5 | Possibility of throwing the machine into infinite boot loop with a wrong Destination option header |
| CVE-2023-45233 | 7.5 | Possibility of throwing the machine into infinite boot loop with a wrong PadN option |
| CVE-2023-45234 | 8.3 | Buffer overflow possibility using a crafted DNS Servers option |
| CVE-2023-45235 | 8.3 | Buffer overflow possibility using a crafted Server ID option from DHCPv6 Advertise message |
| CVE-2023-45236 | 5.8 | Predictability of TCP Initial Sequence number |
| CVE-2023-45237 | 5.3 | Weakness of Pseudo Random Number Generator |
As you can see, the list is rather vast, with buffer overflow vulnerabilities rated as the most severe. All this is due to the reason that such flaws can enforce arbitrary code execution. Such an action is useful for both initial access and lateral movement within the environment. And since we are talking about doing all this mess almost on a bare metal, outcomes may be rather bad.
Vendors Offer Patches for PixieFail Vulnerabilities
Upon detecting the vulnerabilities back in early August 2023, Quarkslab contacted a selection of software vendors who use EDK II in their products. Among them are such known names as Arm, Insyde Software, Microsoft, American Megatrends and Phoenix Technologies. Throughout half a year, both vendors, authorities and researchers elaborated on creating a fix without leaking any information before the fixes are implemented.
As a result, on January 16, 2024, when the detailed analysis from Qarkslab was published, all the notified vendors got the issue fixed. So, check out the updates for your firmware – it may contain the patch which fixes PixieFail all at once.
