January 16, 2024 at 12:19PM
A set of nine vulnerabilities, named ‘PixieFail,’ impact Tianocore’s EDK II, an open-source implementation of the UEFI spec widely used in enterprise computers. The flaws, discovered by Quarkslab, affect the PXE boot process and expose systems to DoS, RCE, network session hijacking, and other attacks. Multiple vendors, including major tech companies, are affected. Due to complexities in fixing the issues, the disclosure deadline has been postponed several times.
From the meeting notes, it is evident that there is a critical issue known as PixieFail, which comprises nine vulnerabilities affecting the IPv6 network protocol stack of Tianocore’s EDK II. The flaws significantly impact the PXE network boot process, posing serious risks such as denial of service (DoS), information disclosure, and remote code execution (RCE) among others. The most severe vulnerabilities are CVE-2023-45230 and CVE-2023-45235, which could allow attackers to perform remote code execution, possibly leading to complete system compromise.
It is important to note that these vulnerabilities affect not only Tianocore’s EDK II UEFI implementation but also other vendors using its NetworkPkg module, including key tech companies and BIOS providers such as Arm Ltd., Insyde Software, American Megatrends Inc. (AMI), Phoenix Technologies Inc., and Microsoft Corporation. Intel is also listed as impacted in CERT/CC’s security advisory.
The disclosure process to CERT/CC began on August 3, 2023, with a series of postponements due to complexities in fixing the issues faced by multiple vendors. Currently, most vendor patches are in a testing/non-validated state, and Tianocore has provided fixes for the first seven vulnerabilities.
It is clear that immediate attention and coordination among vendors are imperative to address the PixieFail vulnerabilities effectively and ensure the security of enterprise computers and servers.