9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II

Research Discover 9 Vulnerabilities in EDK II
A newly discovered set of vulnerabilities touches a wide selection of hardware and firmware developers

A chain of 9 vulnerabilities in UEFI’s Preboot Execution Environment (PXE), dubbed PixieFail, was uncovered in a recent research. As the network boot process is a rather novice attack vector, only a few vulnerabilities received high severity status. Nonetheless, their sheer volume, along with the location in rather sensitive places, can create a mess if someone manages to exploit those vulnerabilities in a chain.

Analysts Discover Numerous Vulnerabilities in TianoCore EDK II

The extensive research from Quarklabs uncovers the grand total of nine vulnerabilities present in a widely used UEFI implementation from TianoCore, called EDK II. This open-source variant of unified EFI is seeing particularly large applications in various corporations, both in their own machines and in products. Among other functions, it contains a network boot option and a whole bunch of related functionality, which is where all the vulnerabilities are concentrated.

Network boot itself bears on a Preboot Execution Environment (PXE), often shortened to Pixie boot. This place is, eventually, the host to all nine security flaws. Not all vulnerabilities from PixieFail collection are of the utmost severity, but for 3 of them, NIST assigned the CVSS score of 8.3/10.

List of PixieFail Vulnerabilities

Vulnerability Severity score Description
CVE-2023-45229 6.5 Out-of-bounds data read with a crafted DHCPv6 Advertise message
CVE-2023-45230 8.3 Buffer overflow possibility using a crafted Server ID option
CVE-2023-45231 6.5 Out-of-bounds data read with a specifically crafted ND Redirect message
CVE-2023-45232 7.5 Possibility of throwing the machine into infinite boot loop with a wrong Destination option header
CVE-2023-45233 7.5 Possibility of throwing the machine into infinite boot loop with a wrong PadN option
CVE-2023-45234 8.3 Buffer overflow possibility using a crafted DNS Servers option
CVE-2023-45235 8.3 Buffer overflow possibility using a crafted Server ID option from DHCPv6 Advertise message
CVE-2023-45236 5.8 Predictability of TCP Initial Sequence number
CVE-2023-45237 5.3 Weakness of Pseudo Random Number Generator

As you can see, the list is rather vast, with buffer overflow vulnerabilities rated as the most severe. All this is due to the reason that such flaws can enforce arbitrary code execution. Such an action is useful for both initial access and lateral movement within the environment. And since we are talking about doing all this mess almost on a bare metal, outcomes may be rather bad.

Vendors Offer Patches for PixieFail Vulnerabilities

Upon detecting the vulnerabilities back in early August 2023, Quarkslab contacted a selection of software vendors who use EDK II in their products. Among them are such known names as Arm, Insyde Software, Microsoft, American Megatrends and Phoenix Technologies. Throughout half a year, both vendors, authorities and researchers elaborated on creating a fix without leaking any information before the fixes are implemented.

As a result, on January 16, 2024, when the detailed analysis from Qarkslab was published, all the notified vendors got the issue fixed. So, check out the updates for your firmware – it may contain the patch which fixes PixieFail all at once.

9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *