Critical PixieFail Vulnerabilities Lead to RCE and DoS Attacks
A set of critical security vulnerabilities has been found in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification. Named PixieFail by Quarkslab, these nine vulnerabilities in the TianoCore EFI Development Kit II (EDK II) impact the network boot process, crucial for loading OS from the network. They could be leveraged by attackers, leading to remote code execution, denial-of-service (DoS) attacks, DNS cache poisoning, and the unauthorized leakage of sensitive data.
Nine PixieFail UEFI Vulnerabilities
The impact of these vulnerabilities extends to UEFI firmware developed by major companies such as AMI, Intel, Insyde, and Phoenix Technologies. The EDK II incorporates its own TCP/IP stack known as NetworkPkg, facilitating network functionalities during the initial Preboot eXecution Environment (PXE) stage. PXE enables devices to boot from their network interface card (NIC) and permits the remote configuration and booting of networked computers that lack a running operating system.
These vulnerabilities identified within the EDK II’s NetworkPkg encompass a variety of flaws, including mishandling DHCPv6 Advertise messages, causing integer underflow, and buffer overflows due to Server ID options. Such exploits occur before the OS loads, bypassing traditional security measures.
The list of all PixieFail vulnerabilities includes:
CVE-2023-45229 (CVSS score: 6.5) – Integer underflow in DHCPv6 Advertise message processing
CVE-2023-45230 (CVSS score: 8.3) – Buffer overflow in DHCPv6 client via Server ID option
CVE-2023-45231 (CVSS score: 6.5) – Out-of-bounds read in handling ND Redirect message
CVE-2023-45232 (CVSS score: 7.5) – Infinite loop in parsing unknown options
CVE-2023-45233 (CVSS score: 7.5) – Infinite loop in parsing PadN option
CVE-2023-45234 (CVSS score: 8.3) – Buffer overflow in processing DNS Servers option
CVE-2023-45235 (CVSS score: 8.3) – Buffer overflow in handling Server ID option
CVE-2023-45236 (CVSS score: 5.8) – Predictable TCP Initial Sequence Numbers
CVE-2023-45237 (CVSS score: 5.3) – Use of a weak pseudorandom number generator
Conclusion
The PixieFail vulnerabilities highlight the necessity for robust security measures in network boot setups. According to the CERT Coordination Center (CERT/CC), the impact and exploitability of these vulnerabilities vary depending on the specific firmware build and default PXE boot configuration. PXE, essential for network booting in enterprise systems, is utilized in both server and desktop environments.
Attackers must be on the same network as the target devices to exploit the PixieFail vulnerabilities. Quarkslab has also provided proof-of-concept (PoC) exploits to aid network administrators in identifying vulnerable devices.
The sources for this article include a story from Eclypsium.