Devs Scramble To Fix Nine PixieFAIL Firmware Security Flaws, What You Should Know

This week, researchers have publicly disclosed nine security vulnerabilities affecting devices that use TianoCore’s EDK II, an open-source reference UEFI implementation. While this may sound like super technical speak, these vulnerabilities, known as PixieFAIL, can be simplified to their effects, including but not limited to denial of service, information leakage, remote code execution, and network session hijacking.

Network booting is a fairly standard feature of computers, and you may notice it when starting up your computer at work or at home. Before getting into your operating system of choice, you may see a screen flash saying something about “PXE Booting,” and it may even require interaction to skip. This is known as the Preboot Execution Environment (PXE), or referenced as Pixie boot for the spelling, and is a feature that allows a computer to retrieve software from the network to boot to. Normally, it is a good method to set up infrastructure or flash devices with ease over the network.

Tianocore’s EDK II is an open-source implementation of the Unified Extensible Firmware Interface (UEFI) specification, which has both IPv4 and IPv6-based PXE. Within this, researchers at Quarkslab dug into the NetworkPkg PXE implementation and discovered nine vulnerabilities affecting Arm Ltd., Insyde Software, Intel, American Megatrends Inc., Phoenix Technologies Inc., and Microsoft Corporation. These vulnerabilities, listed below and online, can be executed either on the same local network or remotely, depending on the vulnerability, and can lead to “denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking.”

• CVE-2023-45229: Integer underflow in DHCPv6 Advertise message.
• CVE-2023-45230: Buffer overflow in the DHCPv6 client.
• CVE-2023-45231: Out of Bounds read in Ip6ProcessRedirect.
• CVE-2023-45232: Infinite loop in Ip6IsExtsValid.
• CVE-2023-45233: Infinite loop in Ip6IsOptionValid.
• CVE-2023-45234: Buffer overflow with DNS Servers option in a DHCPv6 Advertise message.
• CVE-2023-45235: Buffer overflow with Server ID option in DHCPv6 proxy Advertise message.
• CVE-2023-45236: Predictable TCP Initial Sequence Numbers (ISNs).
• CVE-2023-45237: Weak PseudoRandom Number Generator

While these are not necessarily of concern to the average person, they should be a consideration as companies are now working to patch the issues. However, this has been a long time coming, as Quarkslab sent its initial report back at the start of August last year. This was followed by a series of delays and pushbacks from companies looking to handle the issues, so sadly, the report did not make it in 2023. However, the report and proof of concept programs are now available online, which should light a fire for companies lingering on these issues whose patches are still in testing.

Perhaps we will also see this family of vulnerabilities at RSA Conference, BlackHat, DEF CON, or other security conferences which are not all that far away. In any event, it will certainly be interesting to see how updates and information unfold with this, so stay tuned to the Quarkslab report and HotHardware for any major updates.