Multiple security vulnerabilities have been discovered in the TCP/IP network protocol stack of an open-source reference implementation of the UEFI specification. Dubbed PixieFail, these nine issues in the TianoCore EFI Development Kit II (EDK II) could lead to remote code execution, denial-of-service attacks, DNS cache poisoning, and leakage of sensitive information. UEFI firmware from AMI, Intel, Insyde, and Phoenix Technologies are affected by these vulnerabilities. The EDK II includes its own TCP/IP stack called NetworkPkg for network functionalities during the initial Preboot eXecution Environment (PXE) stage, allowing remote configuration and booting of devices without an operating system.
The vulnerabilities identified by Quarkslab in the EDK II’s NetworkPkg include overflow bugs, out-of-bounds read, infinite loops, and the use of weak pseudorandom number generator (PRNG), resulting in various attacks at the IPv4 and IPv6 layer. The specific flaws include integer underflow, buffer overflow, out-of-bounds read, infinite loop, buffer overflow, predictable TCP initial sequence numbers, and the use of a weak PRNG.
The impact and exploitability of these vulnerabilities depend on the firmware build and the default PXE boot configuration. An attacker within the local network or in certain scenarios remotely could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.
It is important for affected users to be aware of these vulnerabilities and take appropriate measures to patch or mitigate them.