Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 16 Jan 2024 18:13:27 +0200
From: Valtteri Vuorikoski <vuori@...com.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-45229 and others: Multiple vulnerabilities in EDK II UEFI
 stack (PixieFAIL)

(Not associated with Quarkslab or Tianocore.)

Quarkslab has published an advisory concerning multiple
vulnerabilities in the network boot (PXE) component of Tianocore EDK
II, the open-source UEFI reference implementation. They title this
series of vulnerabilities "PixieFAIL":
<https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html>

The introduction states:

  In order to provide [the] network booting feature, UEFI implements a
  full IP stack at the DXE phase, opening the door to attacks from the
  local network during this early stage of the boot process.
  […]
  The EDK II UEFI reference implementation provides both IPv4- and
  IPv6-based PXE. In the latest available specification (UEFI 2.10) as
  of this writing, IPv6-based PXE is described in section "24.3.18 -
  Netboot6".

  We performed a cursory inspection of NetworkPkg, Tianocore's EDK II
  PXE implementation, and identified nine vulnerabilities that can be
  exploited by unauthenticated remote attackers on the same local
  network, and in some cases, by attackers on remote networks. The
  impact of these vulnerabilities includes denial of service,
  information leakage, remote code execution, DNS cache poisoning, and
  network session hijacking.

The specific vulnerabilities included in the advisory largely, though
not exclusively, concern the IPv6 side of the network stack:

CVE-2023-45229: Integer underflow when processing IA_NA/IA_TA options
in a DHCPv6 Advertise message

CVE-2023-45230: Buffer overflow in the DHCPv6 client via a long Server
ID option

CVE-2023-45231: Out of Bounds read when handling a ND Redirect message
with truncated options

CVE-2023-45232: Infinite loop when parsing unknown options in the
Destination Options header

CVE-2023-45233: Infinite loop when parsing a PadN option in the
Destination Options header

CVE-2023-45234: Buffer overflow when processing DNS Servers option in
a DHCPv6 Advertise message

CVE-2023-45235: Buffer overflow when handling Server ID option from a
DHCPv6 proxy Advertise message

CVE-2023-45236: Predictable TCP Initial Sequence Numbers

CVE-2023-45237: Use of a Weak PseudoRandom Number Generator

Based on the Quarkslab advisory and a separate Microsoft advisory
linked therein, many ISVs that use EDK II as the base for their
proprietary BIOSes have admitted vulnerabilities. Specific PC vendors
are mostly listed as "unknown", but seems likely that the proprietary
BIOSes shipped by many of them are vulnerable.

I would guess (but have no specific knowledge) that downstream
open-source projects that use EDK II code, potentially including the
OVMF builds of it commonly used with qemu VMs, will also in many cases
be vulnerable if they are built with network boot support enabled.

 -Valtteri
 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.