Date: Tue, 16 Jan 2024 18:13:27 +0200 From: Valtteri Vuorikoski <vuori@...com.org> To: oss-security@...ts.openwall.com Subject: CVE-2023-45229 and others: Multiple vulnerabilities in EDK II UEFI stack (PixieFAIL) (Not associated with Quarkslab or Tianocore.) Quarkslab has published an advisory concerning multiple vulnerabilities in the network boot (PXE) component of Tianocore EDK II, the open-source UEFI reference implementation. They title this series of vulnerabilities "PixieFAIL": <https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html> The introduction states: In order to provide [the] network booting feature, UEFI implements a full IP stack at the DXE phase, opening the door to attacks from the local network during this early stage of the boot process. […] The EDK II UEFI reference implementation provides both IPv4- and IPv6-based PXE. In the latest available specification (UEFI 2.10) as of this writing, IPv6-based PXE is described in section "24.3.18 - Netboot6". We performed a cursory inspection of NetworkPkg, Tianocore's EDK II PXE implementation, and identified nine vulnerabilities that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking. The specific vulnerabilities included in the advisory largely, though not exclusively, concern the IPv6 side of the network stack: CVE-2023-45229: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message CVE-2023-45230: Buffer overflow in the DHCPv6 client via a long Server ID option CVE-2023-45231: Out of Bounds read when handling a ND Redirect message with truncated options CVE-2023-45232: Infinite loop when parsing unknown options in the Destination Options header CVE-2023-45233: Infinite loop when parsing a PadN option in the Destination Options header CVE-2023-45234: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message CVE-2023-45235: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message CVE-2023-45236: Predictable TCP Initial Sequence Numbers CVE-2023-45237: Use of a Weak PseudoRandom Number Generator Based on the Quarkslab advisory and a separate Microsoft advisory linked therein, many ISVs that use EDK II as the base for their proprietary BIOSes have admitted vulnerabilities. Specific PC vendors are mostly listed as "unknown", but seems likely that the proprietary BIOSes shipped by many of them are vulnerable. I would guess (but have no specific knowledge) that downstream open-source projects that use EDK II code, potentially including the OVMF builds of it commonly used with qemu VMs, will also in many cases be vulnerable if they are built with network boot support enabled. -Valtteri
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.