Kuphawulwe ubungozi obuyisishiyagalolunye ku-firmware ye-UEFI ngokusekelwe kuplathifomu evulekile ye-TianoCore EDK2, evame ukusetshenziswa ezinhlelweni zeseva, iqoqo ebizwa ngokuthi i-PixieFAIL. Ubungozi bukhona kusitaki senethiwekhi se-firmware esisetshenziselwa ukuhlela ukuqalisa kwenethiwekhi (PXE). Ubungozi obuyingozi kakhulu buvumela umhlaseli ongagunyaziwe ukuthi asebenzise ikhodi yesilawuli kude ezingeni le-firmware kumasistimu avumela ukuqala kwe-PXE kunethiwekhi ye-IPv9.
Izinkinga ezincane kakhulu ziholela ekunqatshelweni kwesevisi (ukuvinjwa kwebhuthi), ukuvuza kolwazi, ubuthi benqolobane ye-DNS, kanye nokudunwa kweseshini ye-TCP. Ubungozi obuningi bungasetshenziswa kunethiwekhi yendawo, kodwa obunye ubungozi bungase buhlaselwe kunethiwekhi yangaphandle. Isimo sokuhlasela esijwayelekile sifikela ekuqapheni ithrafikhi kunethiwekhi yendawo kanye nokuthumela amaphakethe aklanywe ngokukhethekile lapho kutholwa umsebenzi ohlobene nokuqalisa isistimu nge-PXE. Ukufinyelela kuseva yokulanda noma iseva ye-DHCP akudingekile. Ukubonisa indlela yokuhlasela, ama-prototype exploits ashicilelwe.
I-firmware ye-UEFI esekelwe ku-platform ye-TianoCore EDK2 isetshenziswa ezinkampanini eziningi ezinkulu, abahlinzeki bamafu, izikhungo zedatha namaqoqo ekhompyutha. Ikakhulukazi, imojuli ye-NetworkPkg esengozini enokuqaliswa kwe-boot ye-PXE isetshenziswa ku-firmware eyakhiwe yi-ARM, Insyde Software (Insyde H20 UEFI BIOS), American Megatrends (AMI Aptio OpenEdition), Phoenix Technologies (SecureCore), Intel, Dell kanye neMicrosoft (Project Mu ). Ubungozi bekukholakala ukuthi buzothinta ipulatifomu ye-ChromeOS, enephakheji ye-EDK2 endaweni yokugcina, kodwa i-Google yathi le phakheji ayisetshenziswa ku-firmware yama-Chromebooks futhi inkundla ye-ChromeOS ayithinteki kule nkinga.
Ubungozi obuhlonziwe:
- I-CVE-2023-45230 - Ukuchichima kwebhafa kukhodi yeklayenti ye-DHCPv6, isetshenziswe ngokuphasisa i-ID yeseva (inketho ye-ID yeseva).
- I-CVE-2023-45234 - Ukuchichima kwebhafa kwenzeka lapho kucutshungulwa inketho ngamapharamitha weseva ye-DNS edluliselwe kumlayezo omemezela ubukhona beseva ye-DHCPv6.
- I-CVE-2023-45235 - Ukuchichima kwebhafa lapho kucutshungulwa inketho ye-ID Yeseva kumilayezo yesimemezelo sommeleli we-DHCPv6.
- I-CVE-2023-45229 iyinani eliphelele elingaphansi kokugeleza okuncane okwenzeka phakathi nokucutshungulwa kwezinketho ze-IA_NA/IA_TA kumilayezo ye-DHCPv6 ekhangisa iseva ye-DHCP.
- I-CVE-2023-45231 Ukuvuza kwedatha okungaphandle kwe-buffer kwenzeka lapho kucubungula imilayezo ye-ND Redirect (I-Neighbor Discovery) enamanani enketho encishisiwe.
- I-CVE-2023-45232 Iluphu engapheli yenzeka lapho kudluliswa izinketho ezingaziwa kunhlokweni Yezinketho Zendawo.
- I-CVE-2023-45233 Iluphu engapheli yenzeka lapho kudluliswa inketho ye-PadN kunhlokweni yephakethe.
- I-CVE-2023-45236 - Ukusetshenziswa kwembewu yokulandelana kwe-TCP ebikezelwe ukuvumela ukushada kokuxhumana kwe-TCP.
- I-CVE-2023-45237 - Ukusetshenziswa kwejeneretha yenombolo-mbumbulu engahleliwe engathembekile ekhiqiza amanani angabikezelwa.
Ubungozi buhanjiswe ku-CERT/CC ngo-Agasti 3, 2023, futhi idethi yokudalulwa yayihlelelwe umhla zi-2 Novemba. Kodwa-ke, ngenxa yesidingo sokukhishwa kwepeshi okudidiyelwe kubathengisi abaningi, idethi yokukhishwa yaqale yahlehliswa ku-December 1st, yase ihlehliswa ku-December 12th kanye no-December 19, 2023, kodwa yagcina yembulwa ngoJanuwari 16, 2024. Ngesikhathi esifanayo, iMicrosoft yacela ukuhlehlisa ukushicilelwa kolwazi kuze kube uMeyi.
Source: opennet.ru