A set of nine vulnerabilities, collectively called ‘PixieFail,’ impact the IPv6 network protocol stack of Tianocore’s EDK II, the open-source reference implementation of the UEFI specification widely used in enterprise computers and servers.
The flaws are present in the PXE network boot process, which is crucial for provisioning operating systems in data centers and high-performance computing environments, and a standard procedure for loading OS images from the network at boot.
The PixieFail flaws were discovered by Quarkslab researchers and have already been disclosed to impacted vendors via a coordinated effort by CERT/CC and CERT-FR.
PixieFail details
The PixieFail vulnerabilities arise from the implementation of IPv6 in the Preboot Execution Environment (PXE), part of the UEFI spec.
PXE enables network booting, and its IPv6 implementation introduces additional protocols, increasing the attack surface.
PixieFail attacks consist of nine flaws that can be exploited locally on a network to cause denial of service (DoS), information disclosure, remote code execution (RCE), DNS cache poisoning, and network session hijacking.
Below is a summary of the nine PixieFail flaws:
- CVE-2023-45229: Improper handling of IA_NA/IA_TA options in DHCPv6 Advertise messages, leading to an integer underflow and potential memory corruption.
- CVE-2023-45230: Problematic handling of long Server ID options in DHCPv6, allowing for buffer overflow and potentially leading to remote code execution or system crashes.
- CVE-2023-45231: Problematic handling of truncated options in Neighbor Discovery (ND) Redirect messages, leading to out-of-bounds read.
- CVE-2023-45232: Flaw in the IPv6 Destination Options header parsing, where unknown options can trigger an infinite loop, causing a denial of service.
- CVE-2023-45233: Infinite loop issue in parsing the PadN option in the IPv6 Destination Options header.
- CVE-2023-45234: Buffer overflow problem when handling the DNS Servers option in a DHCPv6 Advertise message.
- CVE-2023-45235: Vulnerability in handling the Server ID option from a DHCPv6 proxy Advertise message, leading to a buffer overflow.
- CVE-2023-45236: The TCP stack in EDK II generates predictable Initial Sequence Numbers, making it susceptible to TCP session hijacking attacks.
- CVE-2023-45237: Use of a weak pseudo-random number generator in the network stack, potentially facilitating various network attacks.
Of the above, the most severe are CVE-2023-45230 and CVE-2023-45235, which allow attackers to perform remote code execution, possibly leading to complete system compromise.
Quarkslab has released proof-of-concept (PoC) exploits that allow admins to detect vulnerable devices on their network.
Widespread impact
The PixieFail vulnerabilities impact Tianocore’s EDK II UEFI implementation and other vendors using its NetworkPkg module, including major tech companies and BIOS providers.
According to Quarkslab, this includes Arm Ltd., Insyde Software, American Megatrends Inc. (AMI), Phoenix Technologies Inc., and Microsoft Corporation. CERT/CC’s security advisory also states that Intel is impacted.
Although the EDK2 package is included in ChromeOS’s source code tree, Google has specified that it is not used in production Chromebooks and isn’t impacted by the PixieFail flaws.
The initial disclosure to CERT/CC occurred on August 3, 2023, and the disclosure deadline was set to November 2, 2023, right at the 90-day mark.
Due to complexities in fixing the issues faced by multiple vendors, CERT/CC moved the disclosure date numerous times, initially December 1, 2023, and then later to January 16, 2024.
Still, some asked for a larger postponement, with Microsoft requesting the target date to be moved to May 2024.
At this time, most vendor patches are in a testing/non-validated state, and Tianocore has provided fixes for the first seven vulnerabilities.