The Unified Extensible Firmware Interface (UEFI), a set of routines that boot an operating system, contains nearly a dozen vulnerabilities that, when linked together, can be used to deploy malware at the firmware level.
This is evident from a new report from Quarkslab, which describes the shortcomings and a proof-of-concept solution.
The flaws were found in functions related to IPv6 and can be exploited in the Preboot Execution Environment (PXE), if configured to use IPv6. Because the environment is often called Pixieboot, the researchers named the vulnerability PixieFail. Pixieboot, like ArsTechnica explains that this is a mechanism commonly used by companies to power up large numbers of devices, such as servers. In such scenarios, the operating system is not located on the endpoint itself, but on a central server. The devices that boot use the Dynamic Host Configuration Protocol to locate the server and then request the OS image.
Patches in the making
In theory, if a person has even the slightest access to the target network (such as a low-level employee, a customer with a cloud account, or a hacker with pre-installed malware or access to customer accounts), they can use it. to cause the endpoints to download a malicious firmware image instead of the clean one.
The vulnerabilities are tracked as CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023 -45235, CVE-2023-45236 and CVE-2023-45237.
Arm, AMI, Insyde, Phoenix Technologies and Microsoft are all said to be vulnerable to PixieFail. The makers are currently pushing updates to their customers, ArsTechnica added, saying some have already released their patches. For example, AMI has released a patch, while Microsoft is currently “taking appropriate action”.
Other manufacturers, including Arm, Insyde and Phoenix, have yet to make a statement.
While this vulnerability appears to affect most business users, some researchers say even private users and regular consumers should fix the flaw as fixes become available.