Understanding & Detecting PixieFail UEFI Vulnerabilities

Researchers disclosed 9 vulnerabilities in the PXE environment within UEFI. Attackers need only be on the same network segment as the affected hosts to exploit.

What Is PixieFail?

The “PixieFail” vulnerabilities are a set of nine critical security flaws discovered in Tianocore’s EDK II IPv6 network stack. These vulnerabilities are primarily found in the Preboot Execution Environment (PXE) of the UEFI specification, which is crucial for network booting in enterprise systems. While PXE is more common in server environments, it is also used in desktop environments as well.

Vulnerability Details

The vulnerabilities affect the network boot process in the PXE environment, which is essential for loading operating systems from the network at boot time. All discovered vulnerabilities are within the DHCPv6 functionality as PXE relies on DHCP at boot time to obtain an IP address and discover the location of the OS image to load.

The PixieFail vulnerabilities are diverse and include integer underflows, buffer overflows, out-of-bounds reads, infinite loops, and the use of weak pseudorandom number generators. These flaws can lead to a range of exploits like remote code execution (RCE), denial-of-service (DoS) attacks, DNS cache poisoning, and sensitive data leakage.

Key vulnerabilities include improper handling of DHCPv6 Advertise messages leading to integer underflow (CVE-2023-45229), buffer overflows in the DHCPv6 client due to Server ID options (CVE-2023-45230 and CVE-2023-45235), and issues in parsing IPv6 Destination Options headers causing infinite loops (CVE-2023-45232 and CVE-2023-45233). Proof of concept scripts to detect the presence of the vulnerabilities are located here. 

This type of exploit is particularly insidious as it occurs before the operating system loads, bypassing many traditional security measures such as antivirus software or operating system-level security features.

Impact and Severity

The PixieFail vulnerabilities are notable because they allow remote-code execution (RCE) given the attacker is on the same network. Eclypsium discovered early RCE vulnerabilities in UEFI, such as BIOSDisconnect, which only affected Dell systems. In contrast, the PixieFail flaws impact a wide range of vendors who utilize Tianocore’s EDK II UEFI implementation and its NetworkPkg module. At the time of this writing AMI, Insyde Software, Intel, and Phoenix Technologies are officially listed as affected. Microsoft, based on the disclosure timeline details, is also likely affected but has not updated the CERT KB with an official status.

The vulnerabilities were disclosed to the affected vendors, and coordinated efforts have been underway to address them (for full details, and perhaps one of the most interesting disclosure timelines published recently, see the Quarkslab post disclosure timeline section). However, as of the latest information, most vendor patches are still in testing or non-validated states, and Tianocore has provided fixes for the first seven vulnerabilities.

Detection and Mitigation 

Importantly, attackers must have access to the same network as the target devices to exploit the PixieFail vulnerabilities. Quarkslab has released proof-of-concept (PoC) exploits to help network administrators detect vulnerable devices. IT teams are advised to stay updated with vendor communications and apply patches as they become available. These vulnerabilities underscore the importance of rigorous security practices in network boot environments. Additional countermeasures include applying firmware updates when available, network monitoring to detect exploitation attempts, and monitoring usage of PXE (especially DHCPv6 traffic).

PixieFAIL CVEs in Dell systems detected by Eclypsium

Stay tuned for future product updates from the Eclypsium team as they become available.

Complexity in the UEFI Supply Chain

In August 2023 (coincidentally, the same month that Quarkslab started the PixieFail disclosure process), the UEFI Forum published a white paper titled, Decoding UEFI Firmware Unraveling the Intricacies of System Firmware, its Ecosystem and Supply Chain. The paper is worth a read if you want to understand the complex web of suppliers involved in producing finished UEFI-compliant firmware. As illustrated with the PixieFail vulnerabilities, software defects can have cascading results that are difficult to remediate. The paper summarizes the challenge, “The flexibility of the UEFI standard has helped this dynamic ecosystem evolve by supporting this model, but it also contributes to the difficulty of responding to security vulnerabilities.” 

The diagram below shows how the PixieFail vulnerabilities in the EDK II NetworkPkg IP stack has a wide-reaching impact on downstream component suppliers and OEMs. 

Resources

• Vulnerabilities in EDK2 NetworkPkg IP stack implementation. (VU#132380)
• PixieFail: Nine vulnerabilities in Tianocore’s EDK II IPv6 network stack. 
• PixieFAIL Testing Scripts (Github)

The post Understanding & Detecting PixieFail UEFI Vulnerabilities appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Article Link: Understanding & Detecting PixieFail UEFI Vulnerabilities - Eclypsium | Supply Chain Security for the Modern Enterprise