A collection of security vulnerabilities found within the de facto open source implementation of the UEFI specification could expose systems to a range of threats, from remote code execution and denial-of-service to data leakage and DNS cache poisoning.
The flaws - collectively referred to as PixieFail by researchers with French cybersecurity firm Quarkslab - were found in the network stack of the TianoCore EFI Development Kit II and can be exploited by threat actors during a network boot process.
NetworkPkg is the TCP/IP stack in EDK II, which is maintained by Tiancore, a community of software developers, and available on GitHub.
They noted that a network boot is a common feature in enterprise computers and server and that using it to load an OS image from the network at the time of booting is widely used in data centers and high-performance computing clusters that could have hundreds or thousands of compute nodes.
The nodes need to be provisioned with the same OS and software configuration, so downloading and running the OS from central servers makes management easier.
In the report last year, Quarkslab proved that a bug with minimal capabilities could - in the right context - allow bad actors to gain RCE abilities, so the researchers decided to look for UEFI flaws that could be triggered remote and open the systems up to exploitation and persistence.
Not only is Tianocore's EDK II and NetworkPkg PXE stack using the vulnerable module, but vendors using it include Arm in its reference solutions, Microsoft's Project Mu - a modular adaptation of EDK II - Insyde Software, Phoenix Technologies, and American Megatrends.
The CERT Coordination Center in a note included a more exhaustive list of vendors affected by the module and recommendations for deploying fixes and mitigations.
John Gallagher, vice president of Viakoo Labs, pointed to warnings from the National Security Agency last year about the BlackLotus malware targeting UEFI Secure Boot.
The nine bugs found by Quarkslab bring with them a range of threats, including buffer overflows, out-of-bound reads, infinite loops, and a weak pseudorandom number generator.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 18 Jan 2024 19:13:05 +0000