Preboot Execution Environment vulnerabilities dubbed PixieFail expose risks for enterprise computers
Take action: This set of vulnerabilities require a specific scenario of exploit, so there is no need for panic mode patching. Yet, since most vendors have released patches for their firmware, if you are using PXE boot in your environment, update the firmware of your computer fleet.
Learn More
A series of nine vulnerabilities named "PixieFail" was discovered in the TianoCore EDK II, a popular open-source UEFI’s Preboot Execution Environment (PXE) implementation.
PXE a technology used to start up a computer using only its network interface. This process is particularly useful in environments where it's advantageous or necessary to boot computers without using their local storage (like a hard drive or SSD) or where no local operating system is installed.
PXE is used in various corporate environments, cloud services, and data centers. Attackers do not need physical access to exploit these vulnerabilities; access to the affected network is sufficient. Endpoint security solutions struggle to identify UEFI infections, giving attackers considerable control. The affected PXE operates over IPv6, making it harder to detect or remove these vulnerabilities.
Several major vendors such as Arm, Insyde Software, Microsoft, American Megatrends, and Phoenix Technologies were notified and have issued patches as of January 16, 2024. The vulnerabilities affected a range of companies, including Google, Dell, Cisco, ARM, HP, and potentially others. The severity scores of these vulnerabilities range from 5.3 to 8.3 and include various risks like infinite boot loops and buffer overflows.
List of vulnerabilities
- CVE-2023-45229 (CVSS score 6.5) Out-of-bounds data read with a crafted DHCPv6 Advertise message
- CVE-2023-45230 (CVSS score 8.3) Buffer overflow possibility using a crafted Server ID option
- CVE-2023-45231 (CVSS score 6.5) Out-of-bounds data read with a specifically crafted ND Redirect message
- CVE-2023-45232 (CVSS score 7.5) Possibility of throwing the machine into infinite boot loop with a wrong Destination option header
- CVE-2023-45233 (CVSS score 7.5) Possibility of throwing the machine into infinite boot loop with a wrong PadN option
- CVE-2023-45234 (CVSS score 8.3) Buffer overflow possibility using a crafted DNS Servers option
- CVE-2023-45235 (CVSS score 8.3) Buffer overflow possibility using a crafted Server ID option from DHCPv6 Advertise message
- CVE-2023-45236 (CVSS score 5.8) Predictability of TCP Initial Sequence number
- CVE-2023-45237 (CVSS score 5.3) Weakness of Pseudo Random Number Generator
Despite initial disagreement over the ease of exploitation, it is now acknowledged that attackers can exploit these vulnerabilities by intercepting and sending network packets within a network. The full impact of these vulnerabilities is yet to be fully understood, but their discovery highlights the potential ease of exploiting UEFI firmware.
