Article Details

PixieFail flaws impact PXE network boot in enterprise systems. A set of nine vulnerabilities, collectively called 'PixieFail,' impact the IPv6 network protocol stack of Tianocore's EDK II, the open-source reference implementation of the UEFI specification widely used in enterprise computers and servers. The flaws are present in the PXE network boot process, which is crucial for provisioning operating systems in data centers and high-performance computing environments, and a standard procedure for loading OS images from the network at boot. The PixieFail flaws were discovered by Quarkslab researchers and have already been disclosed to impacted vendors via a coordinated effort by CERT/CC and CERT-FR. PixieFail details The PixieFail vulnerabilities arise from the implementation of IPv6 in the Preboot Execution Environment (PXE), part of the UEFI spec. PXE enables network booting, and its IPv6 implementation introduces additional protocols, increasing the attack surface. PixieFail attacks consist of nine flaws that can be exploited locally on a network to cause denial of service (DoS), information disclosure, remote code execution (RCE), DNS cache poisoning, and network session hijacking. Below is a summary of the nine PixieFail flaws: Of the above, the most severe are CVE-2023-45230 and CVE-2023-45235, which allow attackers to perform remote code execution, possibly leading to complete system compromise. Quarkslab has released proof-of-concept (PoC) exploits that allow admins to detect vulnerable devices on their network. Widespread impact The PixieFail vulnerabilities impact Tianocore's EDK II UEFI implementation and other vendors using its NetworkPkg module, including major tech companies and BIOS providers. According to Quarkslab, this includes Arm Ltd., Insyde Software, American Megatrends Inc. (AMI), Phoenix Technologies Inc., and Microsoft Corporation. CERT/CC's security advisory also states that Intel is impacted. Although the EDK2 package is included in ChromeOS's source code tree, Google has specified that it is not used in production Chromebooks and isn't impacted by the PixieFail flaws. The initial disclosure to CERT/CC occurred on August 3, 2023, and the disclosure deadline was set to November 2, 2023, right at the 90-day mark. Due to complexities in fixing the issues faced by multiple vendors, CERT/CC moved the disclosure date numerous times, initially December 1, 2023, and then later to January 16, 2024. Still, some asked for a larger postponement, with Microsoft requesting the target date to be moved to May 2024. At this time, most vendor patches are in a testing/non-validated state, and Tianocore has provided fixes for the first seven vulnerabilities.