French network security company Quarkslab recently announced a UEFI vulnerability called PixieFAIL, which allows hackers to remotely launch DoS attacks, execute arbitrary code, and hijack network sessions. Products including Microsoft, ARM, Google and other companies have been affected.
Relevant vulnerabilities mainly exist in the Intel TianoCore EDK II development environment and consist of 9 sub-vulnerabilities. The specific list is as follows:
- Integer overflow vulnerability : CVE-2023-45229
- Buffer overflow vulnerabilities : CVE-2023-45230, CVE-2023-45234, CVE-2023-45235
- Out-of-bounds read vulnerability : CVE-2023-45231
- Loop vulnerability : CVE-2023-45232, CVE-2023-45233
- TCP sequence number prediction vulnerability : CVE-2023-45236
- Weak pseudo-random number generator vulnerability : CVE-2023-45237
Researchers pointed out that many enterprise computers and servers currently use network boot operating systems. In order to provide related functions, UEFI needs to implement a complete IP stack in the driver execution environment (DXE) stage, thus forming related vulnerabilities that allow hackers to pre-boot. The execution environment (Preboot Execution Environment, PXE) intrudes into the local LAN computer and then performs malicious behavior.
It is reported that since Microsoft Project Mu, Google ChromeOS, Phoenix Technologies’ SecureCore and other products all contain part of the TianoCore EDK II code, the PixieFAIL vulnerability will also affect related software.
In fact, Quarkslab reported the PixieFAIL vulnerability to the French Computer Emergency Response and Coordination Center (CERT-FR) as early as August last year and provided a proof-of-concept program for seven of the sub-vulnerabilities. The company originally planned to publicly disclose the vulnerability on November 2 last year, but it received requests from various manufacturers to postpone the disclosure and repeatedly postponed it. It was not until most manufacturers completed the repairs that the security company finally officially announced the disclosure of the relevant vulnerabilities.