Endpoint security, hardware/chip level security
The bugs exploit the IPv6 network boot specification
Prajeet Nair (@prajeetspeaks) •
January 29, 2024
Multiple vulnerabilities in the widely used open-source implementation of the Unified Extensible Firmware Interface specification allow attackers to introduce malware that operates at the firmware level.
See also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
The vulnerabilities mainly affect server farms and high-performance computing environments – locations where a boot server delivers the operating system over a local network. The bugs lie in the way the UEFI implementation known as TianoCore EDK II calls the boot server using the IPv6 network protocol.
Difficult to patch and often beyond the reach of endpoint security systems – but a miniature operating system in its own right – UEFI is attracting increasing attention from researchers and hackers. Attackers appreciate UEFI flaws because the specification is ubiquitous on x86 PCs and servers, and a firmware infection will generally survive cleanup attempts by operating system-level antivirus software.
Last August, the US federal government urged computer manufacturers to improve UEFI security, suggesting that system owners can monitor and manage UEFI components as they do with other computer software (see: US CISA calls for improvements to key computer component).
Quarkslab researchers wrote in a Jan. 6 blog post that the non-exhaustive list of affected vendors includes chip maker Arm, Microsoft through its firmware-as-a-service effort, Project Mu, and the EDK II implementation maintained by Phoenix Technologies.
The researchers called the flaws PixieFail, a play on the pronunciation of the Preboot Execution Environment – or PXE – specification in UEFI for network boot.
Quarkslab head of research Ivan Arce told Ars Technica that an attacker would not need physical access to a client computer or server to run. “An attacker just needs to have access to the network that all these systems are running on and have the ability to capture packets and inject packets or transmit packets,” he said.
A spokesperson for the UEFI Forum told the Information Security Media Group that the vulnerabilities in question have already been addressed and fixed in the EDK II open source project.
“If issues remain with vendor-specific implementations, derived from EDK II or not, then those vendors are in the best position to comment on why the products they support might still be vulnerable, if that’s the case,” the spokesperson said.
PixieFail encompasses nine flaws within the UEFI network protocol suite, known as NetworkPkg. The vulnerabilities create a variety of attacks, including remote code execution, denial of service attacks, DNS cache poisoning, and unauthorized leakage of sensitive information.
One PixieFail bug, tracked as CVE-2023-45229, could be exploited to crash the system because the UEFI implementation did not check the minimum byte length when parsing advertise response for the host dynamic configuration protocol server responding to the initial PXE solicit message.
Another bug, tracked as CVE-2023-45230, could result in a buffer overflow by configuring a DHCP server to respond to a trace request message with the ID of the malicious server. EDK II once again fully trusted the response from the DHCP server, Quarkslab wrote.
Technical details
PXE facilitates network booting by allowing a client system to locate, download, and execute code from a network server.
The process involves multiple stages, starting with a minimal program – the Network Bootstrap Program or NBP – downloaded via a simple protocol such as TFTP. The PXE client relies on a DHCP server to configure its network interface and obtain a list of boot servers for the NBP file.
To avoid changing operational DHCP servers, the specification splits the regular functions related to DHCP and PXE into two separate services.
Enabling a PXE environment allows machines to boot over a network connection, removing the need for physical interaction or keyboard access. Primarily used in larger data centers, PXE plays a key role in automating the early stages of boot, especially in high-performance computing environments.
The PXE client selects a boot server, communicates with it using the DHCP protocol, obtains the necessary parameters, downloads the NBP, and executes it. PXE over IPv6 uses DHCPv6 and TFTP, requiring IPv6 and UDP at layers 3 and 4. The process may include DNS to resolve boot server hostnames provided by the DHCP server.
The disadvantages are:
- CVE-2023-45229 – CVSS score: 6.5 – This vulnerability involves an integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message.
- CVE-2023-45230 – CVSS score: 8.3 – The flaw is a buffer overflow in the DHCPv6 client caused by the long server ID option.
- CVE-2023-45231 – CVSS score: 6.5 – This vulnerability results in an out-of-bounds read when handling an ND Redirect message with truncated options.
- CVE-2023-45232 – CVSS score: 7.5 – An infinite loop occurs when parsing unknown options in the Destination Options header.
- CVE-2023-45233 – CVSS score: 7.5 – An infinite loop is triggered when the PadN option in the Destination Options header is parsed.
- CVE-2023-45234 – CVSS Score: 8.3 – The issue involves a buffer overflow when processing the DNS server option in the DHCPv6 Advertise message.
- CVE-2023-45235 – CVSS score: 8.3 – A buffer overflow occurs when handling the Server ID option from a DHCPv6 proxy advertisement message.
- CVE-2023-45236 – CVSS Score: 5.8 – This vulnerability exposes predictable TCP seed sequence numbers.
- CVE-2023-45237 – CVSS score: 5.3 – The bug involves the use of a weak pseudorandom number generator.