A set of nine vulnerabilities, collectively called 'PixieFail,' impact the IPv6 network protocol stack of Tianocore's EDK II, the open-source reference implementation of the UEFI specification widely used in enterprise computers and servers.
The flaws are present in the PXE network boot process, which is crucial for provisioning operating systems in data centers and high-performance computing environments, and a standard procedure for loading OS images from the network at boot.
The PixieFail flaws were discovered by Quarkslab researchers and have already been disclosed to impacted vendors via a coordinated effort by CERT/CC and CERT-FR. PixieFail details.
The PixieFail vulnerabilities arise from the implementation of IPv6 in the Preboot Execution Environment, part of the UEFI spec.
PXE enables network booting, and its IPv6 implementation introduces additional protocols, increasing the attack surface.
PixieFail attacks consist of nine flaws that can be exploited locally on a network to cause denial of service, information disclosure, remote code execution, DNS cache poisoning, and network session hijacking.
CVE-2023-45229: Improper handling of IA NA/IA TA options in DHCPv6 Advertise messages, leading to an integer underflow and potential memory corruption.
CVE-2023-45230: Problematic handling of long Server ID options in DHCPv6, allowing for buffer overflow and potentially leading to remote code execution or system crashes.
CVE-2023-45231: Problematic handling of truncated options in Neighbor Discovery Redirect messages, leading to out-of-bounds read. CVE-2023-45232: Flaw in the IPv6 Destination Options header parsing, where unknown options can trigger an infinite loop, causing a denial of service.
CVE-2023-45233: Infinite loop issue in parsing the PadN option in the IPv6 Destination Options header.
CVE-2023-45234: Buffer overflow problem when handling the DNS Servers option in a DHCPv6 Advertise message.
CVE-2023-45235: Vulnerability in handling the Server ID option from a DHCPv6 proxy Advertise message, leading to a buffer overflow.
CVE-2023-45236: The TCP stack in EDK II generates predictable Initial Sequence Numbers, making it susceptible to TCP session hijacking attacks.
CVE-2023-45237: Use of a weak pseudo-random number generator in the network stack, potentially facilitating various network attacks.
Of the above, the most severe are CVE-2023-45230 and CVE-2023-45235, which allow attackers to perform remote code execution, possibly leading to complete system compromise.
Quarkslab has released proof-of-concept exploits that allow admins to detect vulnerable devices on their network.
The PixieFail vulnerabilities impact Tianocore's EDK II UEFI implementation and other vendors using its NetworkPkg module, including major tech companies and BIOS providers.
Although the EDK2 package is included in ChromeOS's source code tree, Google has specified that it is not used in production Chromebooks and isn't impacted by the PixieFail flaws.
LogoFAIL attack can install UEFI bootkits through bootup logos.
Atlassian warns of critical RCE flaw in older Confluence versions.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 16 Jan 2024 17:20:26 +0000