Nine vulnerabilities have been identified in UEFI firmware based on the TianoCore EDK2 open platform, commonly used on server systems, collectively codenamed PixieFAIL. Vulnerabilities are present in the network firmware stack used to organize network boot (PXE). The most dangerous vulnerabilities allow an unauthenticated attacker to execute remote code at the firmware level on systems that allow PXE booting over an IPv9 network.
Less severe problems result in denial of service (boot blocking), information leakage, DNS cache poisoning, and TCP session hijacking. Most vulnerabilities can be exploited from the local network, but some vulnerabilities can also be attacked from an external network. A typical attack scenario boils down to monitoring traffic on a local network and sending specially designed packets when activity related to booting the system via PXE is detected. Access to the download server or DHCP server is not required. To demonstrate the attack technique, prototype exploits have been published.
UEFI firmware based on the TianoCore EDK2 platform is used in many large companies, cloud providers, data centers and computing clusters. In particular, the vulnerable NetworkPkg module with PXE boot implementation is used in firmware developed by ARM, Insyde Software (Insyde H20 UEFI BIOS), American Megatrends (AMI Aptio OpenEdition), Phoenix Technologies (SecureCore), Intel, Dell and Microsoft (Project Mu). The vulnerabilities were also believed to affect the ChromeOS platform, which has an EDK2 package in the repository, but Google said that this package is not used in the firmware for Chromebooks and the ChromeOS platform is not affected by the problem.
Identified vulnerabilities:
- CVE-2023-45230 - A buffer overflow in the DHCPv6 client code, exploited by passing too long a server ID (Server ID option).
- CVE-2023-45234 - A buffer overflow occurs when processing an option with DNS server parameters passed in a message announcing the presence of a DHCPv6 server.
- CVE-2023-45235 - Buffer overflow when processing the Server ID option in DHCPv6 proxy announcement messages.
- CVE-2023-45229 is an integer underflow that occurs during the processing of IA_NA/IA_TA options in DHCPv6 messages advertising a DHCP server.
- CVE-2023-45231 An out-of-buffer data leak occurs when processing ND Redirect (Neighbor Discovery) messages with truncated option values.
- CVE-2023-45232 An infinite loop occurs when parsing unknown options in the Destination Options header.
- CVE-2023-45233 An infinite loop occurs when parsing the PadN option in the packet header.
- CVE-2023-45236 - Use of predictable TCP sequence seeds to allow TCP connection wedging.
- CVE-2023-45237 β Use of an unreliable pseudo-random number generator that produces predictable values.
The vulnerabilities were submitted to CERT/CC on August 3, 2023, and the disclosure date was scheduled for November 2. However, due to the need for a coordinated patch release across multiple vendors, the release date was initially pushed back to December 1st, then pushed back to December 12th and December 19th, 2023, but was ultimately revealed on January 16th, 2024. At the same time, Microsoft asked to postpone the publication of information until May.
Source: opennet.ru