A set of nine vulnerabilities known as ‘PixieFail’ has recently been discovered in Tianocore’s EDK II, an open-source implementation of the Unified Extensible Firmware Interface (UEFI) specification. The vulnerabilities specifically impact the PXE network boot process, which is vital for provisioning operating systems in data centers and high-performance computing environments.
PixieFail was uncovered by researchers at Quarkslab, who promptly disclosed the vulnerabilities to affected vendors through a coordinated effort by the United States Computer Emergency Readiness Team (CERT/CC) and the French Computer Emergency Response Team (CERT-FR). The vulnerabilities in PixieFail stem from the implementation of IPv6 in the Preboot Execution Environment (PXE), which introduces additional protocols and widens the potential attack surface.
This critical security issue consists of nine specific flaws, including denial of service, information disclosure, remote code execution, DNS cache poisoning, and network session hijacking. Some of the most severe vulnerabilities, namely CVE-2023-45230 and CVE-2023-45235, enable attackers to execute remote code and potentially compromise entire systems.
To help administrators identify if their networks are vulnerable, Quarkslab has released proof-of-concept (PoC) exploits. It is worth noting that Tianocore’s EDK II UEFI implementation and other vendors using the NetworkPkg module, such as Arm Ltd., Insyde Software, AMI, Phoenix Technologies Inc., and Microsoft, are all affected by PixieFail.
Even Intel, a major player in the tech industry, has been impacted by these vulnerabilities, as stated in CERT/CC’s security advisory. The initial disclosure of PixieFail was made to CERT/CC on August 3, 2023, with a deadline set for November 2, 2023. However, due to the complex nature of resolving these issues for multiple vendors, the disclosure date has been postponed multiple times, initially to December 1, 2023, and later to January 16, 2024.
Currently, most vendor patches are still in a testing/non-validated state. However, Tianocore has already provided fixes for the first seven vulnerabilities identified in PixieFail. Microsoft has requested a further extension, proposing a target date of May 2024 for full resolution.
It is crucial for affected vendors and users to remain vigilant and apply the available patches as soon as they are validated and released. Timely actions will mitigate the risks associated with PixieFail and help ensure the security of critical systems.
“Zombie enthusiast. Subtly charming travel practitioner. Webaholic. Internet expert.”