Nine vulnerabilities in EDK II hit enterprise environments worldwide. Researchers at France’s Quarkslab discovered that this open-source standard for the UEFI specification can be abused by malicious actors. These exploits are then very difficult to detect or remove.
The nine vulnerabilities are exploitable in the PXE (Preboot Execution Environment) if it uses IPv6 for networking. TianoCore EDK II is used by several major vendors running cloud services and data centers. It is an open-source implementation of UEFI and is mostly used to boot servers in large data centers. PXE stores an image of an OS, which is later requested by devices via DHCP. This OS can thus be manipulated at the UEFI level.
The fact that vulnerabilities reside in this boot process makes it a lot harder to detect or remove. Endpoint security solutions are unable to detect UEFI infections, while these infections offer a lot of control to an attacker.
PixieFail
The nine PXE vulnerabilities are referred to by Quarkslab as a whole as “PixieFail.” According to the researchers, attackers can exploit it relatively easily. Attackers need not have physical access to the client or the boot server, Quarkslab states. Those who already have access to an affected network can already provide other devices with a malicious UEFI. This could include cloud clients as well as employees.
Currently, AMI, Insyde, Intel and Phoenix are known to be affected by the vulnerability. Toshiba is not, but numerous other vendors aren’t in the clear yet. These include Microsoft, Google, Dell, Cisco, ARM and HP, among others.
The nine vulnerabilities are:
- CVE-2023-45229
- CVE-2023-45230
- CVE-2023-45231
- CVE-2023-45232
- CVE-2023-45233
- CEV-2023-45234
- CVE-2023-45235
- CVE-2023-45236
- CVE-2023-45237
The vulnerabilities have not yet been given a CVSS score, but TianoCore.org has already indicated the severity of each individual CVE. The scores range from 5.3 to 8.3 (on a 0-10 scale), with different possible effects. For example, some lead to infinite loops and others to buffer overflows, but collectively they can lead to the infiltrations described above. It shows once again that such scores by themselves are not too telling, as we recently described.
Also read: When is a critical vulnerability actually dangerous?
Since vendors have been notified in advance, several patches are already available. For example, AMI already offers a public advisory with information on actions to take. Microsoft states that an attacker must first set up a malicious server within a network, but CRO at Quarkslab Iván Arce contradicts this. Later, Microsoft stated that if an attacker can intercept and send network packets, one can impersonate a server within the network.
The actual impact of these vulnerabilities has yet to become clear. However, it is worrisome that exploitation of UEFI firmware is possible in an apparently simple manner.
2 days ago
