PixieFAIL: Unveiling Nine Critical Flaws in UEFI’s EDK II Network Stack
Researchers from the French company Quarkslab have discovered a multitude of serious vulnerabilities in Tianocore EDK II, an open implementation of the UEFI specification, which could be exploited for remote code execution.
Nine vulnerabilities, collectively termed PixieFAIL, could lead to denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking. They were identified during an examination of NetworkPkg, which provides drivers and applications for network configuration.
The vulnerable module is used by numerous manufacturers, including Microsoft, ARM, Insyde, Phoenix Technologies, and AMI. Quarkslab’s Chief Technical Officer also confirmed the presence of vulnerable code in Microsoft’s adaptation of Tianocore EDK II – Project Mu.
The nine vulnerabilities are described under the following CVE identifiers:
- CVE-2023-45229: An integer flaw when processing IA_NA/IA_TA options in the DHCPv6 Advertise message;
- CVE-2023-45230: Buffer overflow in the DHCPv6 client due to a lengthy Server ID option;
- CVE-2023-45231: Array out-of-bounds read when processing truncated options in the ND Redirect message;
- CVE-2023-45232: Infinite loop when parsing unknown options in the Destination Options header;
- CVE-2023-45233: Infinite loop when parsing the PadN option in the Destination Options header;
- CVE-2023-45234: Buffer overflow when processing DNS servers in the DHCPv6 Advertisement message;
- CVE-2023-45235: Buffer overflow when processing the server identifier parameter from the DHCPv6 Proxy Advertisement message;
- CVE-2023-45236: Predictable initial TCP sequence numbers;
- CVE-2023-45237: Use of a weak pseudorandom number generator.
Quarkslab released a PoC exploit demonstrating the first seven vulnerabilities, enabling defenders to create signatures for detecting infection attempts.
The CERT-CC Coordination Center published a notice with a list of affected and potentially vulnerable manufacturers, along with recommendations for implementing fixes and protective measures. Representatives from the center confirmed that Insyde, AMI, Intel, and Phoenix Technologies are affected, but the precise status of their vulnerability remains unknown.