A collection of security vulnerabilities found within the de facto open source implementation of the UEFI specification could expose systems to a range of threats, from remote code execution (RCE) and denial-of-service (DoS) to data leakage and DNS cache poisoning.
The flaws – collectively referred to as PixieFail by researchers with French cybersecurity firm Quarkslab – were found in the network stack of the TianoCore EFI Development Kit (EDK) II and can be exploited by threat actors during a network boot process.
Quarkslab has been looking into the security around EDK II for several months, finding what the researchers called an “unimpressive bug” in June 2023.
In the latest evaluation, “we performed a cursory inspection of NetworkPkg, Tianocore’s EDK II PXE implementation, and identified nine vulnerabilities that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks,” Quarkslab researchers wrote in a report.
NetworkPkg is the TCP/IP stack in EDK II, which is maintained by Tiancore, a community of software developers, and available on GitHub. PXE is the Preboot Execution Environment specification – also known as “netboot” or “Pixie boot” – that lets computers in client-server environments boot remotely over the network.
They noted that a network boot is a common feature in enterprise computers and server and that using it to load an OS image from the network at the time of booting is widely used in data centers and high-performance computing (HPC) clusters that could have hundreds or thousands of compute nodes.
In such environments, the nodes need to be provisioned with the same OS and software configuration, so downloading and running the OS from central servers makes management easier.
“In order to provide this network booting feature, UEFI implements a full IP stack at the DXE [driver execution environment] phase, opening the door to attacks from the local network during this early stage of the boot process,” they wrote.
In the report last year, Quarkslab proved that a bug with minimal capabilities could – in the right context – allow bad actors to gain RCE abilities, so the researchers decided to look for UEFI flaws that could be triggered remote and open the systems up to exploitation and persistence. They turned to EDX II, which provides both IPv4- and IPv6-based PXE, and after a “cursory inspection of NetworkPkg.”
There they found the nine vulnerabilities. Not only is Tianocore’s EDK II and NetworkPkg PXE stack using the vulnerable module, but vendors using it include Arm in its reference solutions, Microsoft’s Project Mu – a modular adaptation of EDK II – Insyde Software (Insyde H20 UEFI BIOS), Phoenix Technologies (SecureCore), and American Megatrends (Aptio OpenEdition).
The CERT Coordination Center in a note included a more exhaustive list of vendors affected by the module and recommendations for deploying fixes and mitigations.
“Quarkslab researchers have discovered several vulnerabilities within the EDKII’s NetworkPkg IP stack, introduced due to classic issues like buffer overflow, predictable randomization, and improper parsing. These vulnerabilities pose risks, allowing unauthenticated local attackers (and in certain scenarios, remotely) to execute various attacks,” CERT wrote.
John Gallagher, vice president of Viakoo Labs, pointed to warnings from the National Security Agency (NSA) last year about the BlackLotus malware targeting UEFI Secure Boot.
“Now PixieFAIL, which provides even more exploitability,” Gallagher said. “Threat actors aim at the weakest part of an organization’s defenses and the parts that take a long time to remediate. Over the last few years that’s why exploits focused on IoT [and] OT systems have been increasing, and in a similar way exploits aimed at UEFI.”
While vendors impacted by PixieFail “have all provided patched versions for their downstream supply chain, this will likely be exploitable for a while for systems already provisioned and deployed,” he said. “UEFI vulnerabilities are particularly difficult to mitigate and remediate because they are in the earliest stage of software and hardware interactions. This stage of system initialization also provides root access to a variety of services, which makes the overall attack surface quite large.”
The nine bugs found by Quarkslab bring with them a range of threats, including buffer overflows, out-of-bound reads, infinite loops, and a weak pseudorandom number generator.
Recent Articles By Author