Zowopsa zisanu ndi zinayi zadziwika mu firmware ya UEFI kutengera TianoCore EDK2 nsanja yotseguka, yomwe imagwiritsidwa ntchito kwambiri pama seva, pamodzi otchedwa PixieFAIL. Zowopsa zilipo mu network ya firmware stack yomwe imagwiritsidwa ntchito kukonza network boot (PXE). Zowopsa zowopsa kwambiri zimalola wowukira wosavomerezeka kuti apereke khodi yakutali pamlingo wa firmware pamakina omwe amalola PXE kuyambika pa netiweki ya IPv9.
Mavuto ocheperako amabweretsa kukana ntchito (boot blocking), kutayikira kwa chidziwitso, DNS cache poisoning, ndi kubedwa kwa gawo la TCP. Zowopsa zambiri zitha kugwiritsidwa ntchito pamanetiweki wapafupi, koma zovuta zina zitha kuwukiridwanso ndi netiweki yakunja. Zomwe zimachitika nthawi zambiri zimangoyang'anira kuchuluka kwa anthu pamanetiweki amderali ndikutumiza mapaketi opangidwa mwapadera pakachitika zinthu zokhudzana ndi kuyambitsa makinawo kudzera pa PXE. Kufikira ku seva yotsitsa kapena seva ya DHCP sikofunikira. Kuti awonetse njira yowukira, ma prototype adasindikizidwa.
Firmware ya UEFI yochokera pa nsanja ya TianoCore EDK2 imagwiritsidwa ntchito m'makampani ambiri akuluakulu, opereka mitambo, malo opangira data ndi magulu apakompyuta. Makamaka, gawo lomwe lili pachiwopsezo cha NetworkPkg yokhala ndi boot ya PXE imagwiritsidwa ntchito mu firmware yopangidwa ndi ARM, Insyde Software (Insyde H20 UEFI BIOS), American Megatrends (AMI Aptio OpenEdition), Phoenix Technologies (SecureCore), Intel, Dell ndi Microsoft (Project Mu). ). Zofookazo zinkakhulupiriranso kuti zimakhudza nsanja ya ChromeOS, yomwe ili ndi phukusi la EDK2 m'malo osungiramo zinthu, koma Google inanena kuti phukusili silinagwiritsidwe ntchito mu firmware ya Chromebooks ndipo nsanja ya ChromeOS sichikhudzidwa ndi vutoli.
Zowopsa zomwe zidazindikirika:
- CVE-2023-45230 - Chosungira chikusefukira mu khodi ya kasitomala ya DHCPv6, yogwiritsidwa ntchito podutsa ID yayitali ya seva (Njira ya ID ya seva).
- CVE-2023-45234 - Kusefukira kwa buffer kumachitika mukakonza njira yokhala ndi magawo a seva ya DNS yoperekedwa mu uthenga wolengeza kukhalapo kwa seva ya DHCPv6.
- CVE-2023-45235 - Buffer kusefukira mukamakonza njira ya ID ya Seva mu mauthenga olengeza a DHCPv6.
- CVE-2023-45229 ndikuchulukirachulukira komwe kumachitika pokonza zosankha za IA_NA/IA_TA mu mauthenga a DHCPv6 otsatsa seva ya DHCP.
- CVE-2023-45231 Kutayikira kwa data kwakunja kumachitika mukakonza mauthenga a ND Redirect (Neighbor Discovery) okhala ndi zosankha zochepa.
- CVE-2023-45232 Lupu lopanda malire limachitika mukasankha zosankha zosadziwika pamutu wa Zosankha Zolowera.
- CVE-2023-45233 Lupu lopanda malire limapezeka posankha njira ya PadN pamutu wa paketi.
- CVE-2023-45236 - Kugwiritsa ntchito mbewu zoloseredwa za TCP kulola kulumikizana kwa TCP.
- CVE-2023-45237 - Kugwiritsa ntchito jenereta yosadalirika ya manambala achinyengo omwe amapanga zinthu zodziwikiratu.
Zowopsazi zidatumizidwa ku CERT/CC pa Ogasiti 3, 2023, ndipo tsiku lowulula lidakonzedwa pa Novembara 2. Komabe, chifukwa chofuna kumasulidwa kwachigamba chogwirizana kwa ogulitsa angapo, tsiku lotulutsidwa lidabwezeredwa ku Disembala 1st, kenako kukankhidwiranso ku Disembala 12 ndi Disembala 19, 2023, koma zidawululidwa pa Januware 16, 2024. Nthawi yomweyo, Microsoft idapempha kuti achedwetse kufalitsa zambiri mpaka Meyi.
Source: opennet.ru