A set of 9 vulnerabilities, collectively referred to as ‘PixieFail,’ affect the IPv6 community protocol stack of Tianocore’s EDK II, the open-source reference implementation of the UEFI specification extensively utilized in enterprise computer systems and servers.
The issues are current within the PXE community boot course of, which is essential for provisioning working techniques in knowledge facilities and high-performance computing environments, and a regular process for loading OS pictures from the community at boot.
The PixieFail flaws have been found by Quarkslab researchers and have already been disclosed to impacted distributors by way of a coordinated effort by CERT/CC and CERT-FR.
PixieFail particulars
The PixieFail vulnerabilities come up from the implementation of IPv6 within the Preboot Execution Atmosphere (PXE), a part of the UEFI spec.
PXE allows community booting, and its IPv6 implementation introduces further protocols, growing the assault floor.
PixieFail assaults include 9 flaws that may be exploited domestically on a community to trigger denial of service (DoS), info disclosure, distant code execution (RCE), DNS cache poisoning, and community session hijacking.
Under is a abstract of the 9 PixieFail flaws:
- CVE-2023-45229: Improper dealing with of IA_NA/IA_TA choices in DHCPv6 Promote messages, resulting in an integer underflow and potential reminiscence corruption.
- CVE-2023-45230: Problematic dealing with of lengthy Server ID choices in DHCPv6, permitting for buffer overflow and doubtlessly resulting in distant code execution or system crashes.
- CVE-2023-45231: Problematic dealing with of truncated choices in Neighbor Discovery (ND) Redirect messages, resulting in out-of-bounds learn.
- CVE-2023-45232: Flaw within the IPv6 Vacation spot Choices header parsing, the place unknown choices can set off an infinite loop, inflicting a denial of service.
- CVE-2023-45233: Infinite loop subject in parsing the PadN choice within the IPv6 Vacation spot Choices header.
- CVE-2023-45234: Buffer overflow drawback when dealing with the DNS Servers choice in a DHCPv6 Promote message.
- CVE-2023-45235: Vulnerability in dealing with the Server ID choice from a DHCPv6 proxy Promote message, resulting in a buffer overflow.
- CVE-2023-45236: The TCP stack in EDK II generates predictable Preliminary Sequence Numbers, making it vulnerable to TCP session hijacking assaults.
- CVE-2023-45237: Use of a weak pseudo-random quantity generator within the community stack, doubtlessly facilitating varied community assaults.
Of the above, essentially the most extreme are CVE-2023-45230 and CVE-2023-45235, which permit attackers to carry out distant code execution, probably main to finish system compromise.
Quarkslab has launched proof-of-concept (PoC) exploits that enable admins to detect weak units on their community.
Widespread affect
The PixieFail vulnerabilities affect Tianocore’s EDK II UEFI implementation and different distributors utilizing its NetworkPkg module, together with main tech firms and BIOS suppliers.
In accordance with Quarkslab, this contains Arm Ltd., Insyde Software program, American Megatrends Inc. (AMI), Phoenix Applied sciences Inc., and Microsoft Company. CERT/CC’s security advisory additionally states that Intel is impacted.
Though the EDK2 bundle is included in ChromeOS’s supply code tree, Google has specified that it’s not utilized in manufacturing Chromebooks and is not impacted by the PixieFail flaws.
The preliminary disclosure to CERT/CC occurred on August 3, 2023, and the disclosure deadline was set to November 2, 2023, proper on the 90-day mark.
As a consequence of complexities in fixing the problems confronted by a number of distributors, CERT/CC moved the disclosure date quite a few instances, initially December 1, 2023, after which later to January 16, 2024.
Nonetheless, some requested for a bigger postponement, with Microsoft requesting the goal date to be moved to Could 2024.
At the moment, most vendor patches are in a testing/non-validated state, and Tianocore has offered fixes for the primary seven vulnerabilities.