If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
The QuarksLab security researchers revealed through a blog post the news that identified 9 vulnerabilities in the UEFI interface based on open platform TianoCore EDK2, usually used in server systems.
Named PixieFAIL, This series of vulnerabilities are present in the network firmware stack used to organize network boot (PXE) threatening exploitation at the firmware level. Successful exploitation, possible during the network boot process, can allow denial of service attacks, data leaks, remote code execution, DNS cache poisoning, and network session hijacking.
About PixieFail
QuarksLab security researchers mention that Most dangerous vulnerabilities allow unauthenticated attacker to execute remote code at the firmware level on systems that allow PXE boot over an IPv6 network.
While less serious vulnerabilities can cause denial of service (boot lock), information leak, DNS cache poisoning and TCP session hijacking. Most vulnerabilities can be exploited from the local network, although some can also be attacked from an external network.
"This is usually done in several stages, starting with a minimal program that is downloaded from a network server using a simple protocol, such as TFTP, which then downloads and runs a second boot stage or the full operating system image."
In their blog post, they detail that UEFI firmware based on the TianoCore EDK2 platform is used in many large companiess, cloud providers, data centers and computing clusters. In particular, the vulnerable module NetworkPkg with PXE boot implementation is used in firmware developed by ARM, Insyde Software, American Megatrends, Phoenix Technologies (SecureCore), Intel, Dell and Microsoft.
As well The vulnerabilities were believed to affect the ChromeOS platform, which has an EDK2 package in the repository, but Google said that this package is not used in the firmware for Chromebooks and that the ChromeOS platform is not affected by the issue.
A typical attack scenario involves monitoring traffic on a local network and sending specially crafted packets when system boot-related activity is detected over PXE. No access to the download server or DHCP server is required. As a demonstration of the attack technique, prototype exploits have been published.
Identified vulnerabilities:
- CVE-2023-45230: Buffer overflow in DHCPv6 client code, exploited by passing a server ID that is too long (server ID option).
- CVE-2023-45234: A buffer overflow occurs when processing an option with DNS server parameters passed in a message announcing the presence of a DHCPv6 server.
- CVE-2023-45235: Buffer overflow when processing the Server ID option in DHCPv6 proxy advertisement messages.
- CVE-2023-45229: is an integer underflow that occurs during processing of the IA_NA/IA_TA options in DHCPv6 messages advertising a DHCP server.
- CVE-2023-45231: A data leak occurs out of the buffer when processing ND (Neighbor Discovery) redirect messages with truncated option values.
- CVE-2023-45232: An infinite loop occurs when parsing unknown options in the Target Options header.
- CVE-2023-45233: An infinite loop occurs when parsing the PadN option in the packet header.
- CVE-2023-45236: use of predictable TCP sequence seeds to enable TCP connection.
- CVE-2023-45237: use of an unreliable pseudorandom number generator that produces predictable values.
It is mentioned that the vulnerabilities were submitted to CERT/CC on August 3, 2023 and the release date was scheduled for November 2. However, due to the need for a coordinated patch release between multiple vendors, the release date was initially delayed to December 1, then pushed back to December 12 and December 19, 2023, but was eventually revealed. until this month of January 2024. At the same time, Microsoft asked to postpone the publication of information until May.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link.