Pierluigi Paganini January 18, 2024

Experts found multiple flaws, collectively named PixieFail, in the network protocol stack of an open-source reference implementation of the UEFI.

Quarkslab researchers discovered nine vulnerabilities, collectively tracked as e PixieFAIL, affecting the IPv6 network protocol stack of EDK II, TianoCore’s open source reference implementation of UEFI.

Unified Extensible Firmware Interface (UEFI) is a specification that defines the architecture of the platform firmware used for booting the computer hardware and its interface for interaction with the operating system. Examples of firmware that implement the specification are AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.

The researchers discovered the vulnerabilities while analyzing NetworkPkg, Tianocore’s EDK II PXE implementation. The severity and potential for exploitation of these flaws vary based on the particular firmware build and the default PXE boot configuration.

PixieFail issues can be exploited to achieve remote code execution and leakage of sensitive information, and carry out denial-of-service (DoS), and network session hijacking attacks.

NetworkPkg is a set of modules that implements networking capabilities within the UEFI environment. The NetworkPkg in UEFI may include modules that facilitate the initialization and management of network-related functions during the pre-boot phase. This can involve protocols for interacting with network devices, such as the Preboot eXecution Environment (PXE) protocol used for network booting.

“In order to boot from the network, a client system must be able to locate, download, and execute code that sets up, configures, and runs the operating system. This is usually done in several stages, starting with a minimal program that is downloaded from a network server using a simple protocol, such as TFTP, which then downloads and runs a second booting stage or the full operating system image.” reads the advisory. “To locate this minimal program, called Network Bootstrap Program (NBP), the PXE client relies on a DHCP server to both obtain the configuration parameters to configure its network interface with a valid IP address and to receive a list of Boot Servers to query for the NBP file. Since the DHCP server must provide such a list and other special parameters, the PXE client has to send some mandatory PXE-releated DHCP Options, consequently, the DHCP server must be “PXE enabled”, i.e. configured appropriately to recognize PXE client options and to reply with the proper DHCP server options. “

Below is the list of PixieFAIL flaws discovered by the experts:

• CVE-2023-45229 – Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
• CVE-2023-45230 – Buffer overflow in the DHCPv6 client via a long Server ID option
• CVE-2023-45231  – Out-of-bounds read when handling a ND Redirect message with truncated options
• CVE-2023-45232 – Infinite loop when parsing unknown options in the Destination Options header
• CVE-2023-45233 – Infinite loop when parsing a PadN option in the Destination Options header
• CVE-2023-45234 – Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
• CVE-2023-45235 – Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
• CVE-2023-45236 – Predictable TCP Initial Sequence Numbers
• CVE-2023-45237 – Use of a weak pseudorandom number generator

The CERT Coordination Center (CERT/CC) also published an advisory about these vulnerabilities.

“An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.” states CERT/CC.

CERT/CC also published Vulnerability Note VU#132380 with a comprehensive list of affected vendors, and guidance to mitigate the issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google TAG)