CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.7%
Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of Unified Extensible Firmware Interface (UEFI). Researchers at Quarkslab have identified a total of 9 vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information. Quarkslab have labeled these set of related vulnerabilities as PixieFail.
UEFI represents a contemporary firmware standard pivotal in initiating the operating system on modern computers and in facilitating communication between the hardware and OS. TianoCore’s EDKII stands as an open-source implementation adhering to UEFI and UEFI Platform Initialization (PI) specifications, offering an essential firmware development environment across platforms. Within EDKII, the NetworkPkg software encompasses a TCP/IP stack, enabling crucial network functionalities available during the initial Preboot eXecution Environment (PXE) stages. The PXE environment, when enabled, allows machines to boot via network connectivity, eliminating the need for physical interaction or keyboard access. Typically employed in larger data centers, PXE is vital for automating early boot phases, particularly in high-performance computing (HPC) environments.
Quarkslab researchers have discovered several vulnerabilities within the EDKII’s NetworkPkg IP stack, introduce due to classic issues like buffer overflow, predictable randomization, and improper parsing. These vulnerabilities pose risks, allowing unauthenticated local attackers (and in certain scenarios, remotely) to execute various attacks. Successful exploits can result in denial of service, leakage of sensitive data, remote code execution, DNS cache poisoning, and network session hijacking. To successfully exploit this vulnerable NetworkPkg implementation, the attacker requires the PXE boot option to be enabled.
Tianocore’s EDKII is used as a reference code or adopted as-is by many vendors for their UEFI implementation and distributed via supply-chain to other vendors in the PC market. Due to the widespread use of these libraries, these vulnerabilities may be present in a large number of implementations. We recommend users consult vendor specific advisory and details that will help resolve these issues.
The impact and exploitability of these vulnerabilities depend on the specific firmware build and the default PXE boot configuration. An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.
Update to the latest stable version of UEFI firmware that includes fixes to these vulnerabilities. Please follow the advisory and any details provided by your vendor as part of this advisory. Downstream users of Tianocore EDKII that incorporate NetworkPkg should update to the latest version provided by Tianocore project. Please follow any vendor provided recommended configurations that can limit the exposure of these vulnerabilities as suitable to your environment.
In operations environments, you may consider the following workarounds to prevent exposure and potential exploitation of these vulnerabilities * Disable PXE boot if it is not used or supported in your computing environment. * Enforce Network Isolation so the UEFI Preboot environment is available to specific network that is protected from unauthorized access. * Deploy available protection to your computing environment from rogue DHCP services using capabilities such as Dynamic ARP inspection and DHCP snooping.
Follow security best practices in design of the preboot environment that provide OS deployment capabilities to your organization. UEFI supply-chain vendors should also consider migration to modern network boot environments that employ secure protocols such as UEFI HTTPS Boot that can limit abuse of the legacy PXE boot related security issues.
Thanks to the Quarkslab for researching and reporting these vulnerabilities and support coordinated disclosure.
This document was written by Vijay Sarvepalli.
132380
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2023-08-03 Updated: 2024-02-21
Statement Date: January 09, 2024
CVE-2023-45229 | Affected |
---|---|
CVE-2023-45230 | Affected CVE-2023-45231 |
AMI has advised on remediations and other updates for these 9 issues to downstream partners (AMI customers).
For a better understanding, the high-level stages of the advisory process that an AMI customer paticipates in is as follows - [Vuln Sighting]->[NDA advisory and fixes to downstream partners]->[Supply Chain Integration]->[Public Advisory] More info here: https://www.ami.com/security-center/
Notified: 2023-08-14 Updated: 2024-05-06
Statement Date: May 06, 2024
CVE-2023-45229 | Affected |
---|---|
CVE-2023-45230 | Affected CVE-2023-45231 |
Fujitsu is aware of the vulnerabilities in AMI and Insyde firmware (AMI Aptio V, Insyde InsydeH2O UEFI-BIOS) known as “PixieFail”.
Affected products are Fujitsu CCD (Client Computing Devices) and datacenter server devices.
The Fujitsu PSIRT (Europe) released FJ-ISS-2023-112100 on https://security.ts.fujitsu.com (Security Notices) accordingly; see https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2023-112100-Security-Notice.pdf
In case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Europe) ([email protected]).
Notified: 2023-08-03 Updated: 2024-01-16
Statement Date: December 06, 2023
CVE-2023-45229 | Affected |
---|---|
CVE-2023-45230 | Affected CVE-2023-45231 |
Insyde has provided updates based on the upstream EDK2 patches for all issues to our customers except CVE-2023-45326 and CVE-2023-45327. We are waiting for consensus in the EDK2 project before creating patches for these lower-priority issues which do not seriously impact booting from signed OS images, which is the primary use case.
Notified: 2023-08-03 Updated: 2024-01-18
Statement Date: January 18, 2024
CVE-2023-45229 | Affected |
---|---|
CVE-2023-45230 | Affected CVE-2023-45231 |
Updates for affected Intel products are pending.
Notified: 2023-08-03 Updated: 2024-01-16 CVE-2023-45229 | Affected |
---|---|
CVE-2023-45230 | Affected CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16
Statement Date: September 11, 2023
CVE-2023-45229 | Not Affected |
---|---|
CVE-2023-45230 | Not Affected CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16
Statement Date: December 08, 2023
CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-03 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-12-04 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-03 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-03 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
Notified: 2023-08-14 Updated: 2024-01-16 CVE-2023-45229 | Unknown |
---|---|
CVE-2023-45230 | Unknown CVE-2023-45231 |
We have not received a statement from the vendor.
View all 23 vendors __View less vendors __
CVE IDs: | CVE-2023-45229 CVE-2023-45230 CVE-2023-45231 CVE-2023-45232 CVE-2023-45233 CVE-2023-45234 CVE-2023-45235 CVE-2023-45236 CVE-2023-45237 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2024-01-16 Date First Published: |