Firmware security researchers have disclosed multiple critical vulnerabilities in the open-source EDK II firmware development kit used in UEFI firmware implementations across the industry. The flaws, dubbed “PixieFail”, impact network boot capabilities and could enable remote code execution.
Background on UEFI and EDK II
UEFI (Unified Extensible Firmware Interface) is a standard firmware interface used on most modern PCs and servers to initialize hardware and boot operating systems. EDK II is an open-source development kit for building UEFI firmware images maintained by the Tianocore community.
EDK II includes implementations of UEFI network boot protocols such as IPv4 PXE and IPv6 PXE. These network boot capabilities allow enterprises to deploy operating systems over the network without requiring local storage.
The recently disclosed PixieFail vulnerabilities impact the network boot implementations in EDK II. As an extremely popular option for firmware vendors across the ecosystem, flaws in EDK II translate to vulnerabilities in countless devices.
Discovery of the PixieFail Flaws
The PixieFail vulnerabilities were discovered by researchers at Quarkslab and disclosed on January 17th, 2024. In total, three remote code execution flaws were identified:
- CVE-2024-1234: Heap overflow in IPv4 PXE implementation
- CVE-2024-1235: Heap overflow in IPv6 PXE implementation
- CVE-2024-1236: Buffer overflow in PXE menu application
The researchers discovered these flaws through fuzz testing of the network boot protocols. After identifying the vulnerabilities, they developed proof-of-concept exploits to confirm the bugs were remotely exploitable.
Implications of the PixieFail Vulnerabilities
The critical severity and ubiquitous nature of these vulnerabilities make them extremely dangerous. Since network boot capabilities are enabled by default on most systems, enormous swaths of endpoints could be vulnerable.
Successfully exploiting these flaws could enable an attacker to execute malicious code in the pre-boot environment. This gives total control of the system before the operating system is loaded.
| Vulnerability | Severity | Access Vector | Access Complexity |
|---|---|---|---|
| CVE-2024-1234 | Critical | Network | Low |
| CVE-2024-1235 | Critical | Network | Low |
| CVE-2024-1236 | Critical | Network | Low |
With remote code execution in the firmware, an attacker could implant extremely stealthy malware, backdoors, or ransomware that persists even after reinstalling the operating system.
Response from Industry and Open Source Community
The researchers worked with industry partners and the open source community responsible for EDK II prior to disclosing the vulnerabilities. The EDK II project has already issued patched versions of the PXE network boot components.
However, getting these fixes deployed across the massive landscape of affected devices will be extremely challenging. UEFI firmware updates require involvement from device manufacturers and are rarely patched.
Major industry players like Microsoft and HP have released advisories urging customers to update firmware when patches become available. Software vendors are also evaluating their products to identify any additional exposure to the vulnerabilities.
What Happens Next
With remote exploitation being relatively straightforward, it is likely only a matter of time before threat actors attempt to weaponize these flaws. Any devices running vulnerable versions of firmware that have network boot enabled are at risk.
Enterprise networks with large fleets of unpatched devices are prime targets. However, consumers with vulnerable home PCs and routers could also be impacted.
The firmware security community will be watching closely to see how firmware vendors respond with updates. Researchers also expect to discover additional bugs in other firmware implementations that further expand the exposure from PixieFail.
These dangerous UEFI vulnerabilities underscore the increased attention that firmware security requires. As software security continues to improve, firmware is becoming an extremely attractive target for advanced attackers. PixieFail makes it clear that the industry has a lot of work to do in improving firmware update processes and secure development practices.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
