Immediately 9 vulnerabilities in Tianocore EDK II provide hackers with complete freedom of malicious actions.
Researchers from the French company Quarkslab discovered many serious vulnerabilities in Tianocore EDK II, an open implementation of the UEFI specification that can be used for remote code execution.
9 vulnerabilities, collectively known as PixieFAIL, can lead to denial of service, information leaks, remote code execution, DNS cache poisoning, and network session hijacking. They were discovered during an inspection of NetworkPkg, which provides drivers and applications for network configuration.
The vulnerable module is used by many manufacturers, including Microsoft, ARM, Insyde, Phoenix Technologies, and AMI. The Chief Technical Officer of Quarkslab also confirmed the presence of vulnerable code in the adaptation of Microsoft's Tianocore EDK II — Project Mu.
Nine vulnerabilities are described under the following CVE identifiers:
Quarkslab released a PoC exploit to demonstrate the first seven vulnerabilities, allowing defenders to create signatures to detect infection attempts.
The CERT-CC Coordination Center published a notification with a list of affected and potentially vulnerable manufacturers, as well as recommendations for implementing fixes and security measures. Representatives of the center confirmed that Insyde, AMI, Intel and Phoenix Technologies are affected, but the exact status of their vulnerability remains unknown.
Researchers from the French company Quarkslab discovered many serious vulnerabilities in Tianocore EDK II, an open implementation of the UEFI specification that can be used for remote code execution.
9 vulnerabilities, collectively known as PixieFAIL, can lead to denial of service, information leaks, remote code execution, DNS cache poisoning, and network session hijacking. They were discovered during an inspection of NetworkPkg, which provides drivers and applications for network configuration.
The vulnerable module is used by many manufacturers, including Microsoft, ARM, Insyde, Phoenix Technologies, and AMI. The Chief Technical Officer of Quarkslab also confirmed the presence of vulnerable code in the adaptation of Microsoft's Tianocore EDK II — Project Mu.
Nine vulnerabilities are described under the following CVE identifiers:
- CVE-2023-45229: Missing integers when processing IA_NA/IA_TA options in the DHCPv6 Advertise message;
- CVE-2023-45230: Buffer overflow in DHCPv6 client due to long Server ID option;
- CVE-2023-45231: Reading outside the array when processing truncated options in the ND Redirect message;
- CVE-2023-45232: Infinite loop when parsing unknown options in the Destination Options header;
- CVE-2023-45233: Infinite loop when parsing the PadN option in the Destination Options header;
- CVE-2023-45234: Buffer overflow during DNS server processing in DHCPv6 advertisement message;
- CVE-2023-45235: Buffer overflow when processing a server ID parameter from a DHCPv6 proxy advertising message;
- CVE-2023-45236: Predictable TCP Initial Sequence Numbers;
- CVE-2023-45237: Using a weak pseudorandom number generator.
Quarkslab released a PoC exploit to demonstrate the first seven vulnerabilities, allowing defenders to create signatures to detect infection attempts.
The CERT-CC Coordination Center published a notification with a list of affected and potentially vulnerable manufacturers, as well as recommendations for implementing fixes and security measures. Representatives of the center confirmed that Insyde, AMI, Intel and Phoenix Technologies are affected, but the exact status of their vulnerability remains unknown.
