Researchers at French cybersecurity research company Quarkslab have discovered nine vulnerabilities in TianoCore EDK II, an open-source Unified Extensible Firmware Interface used by various hardware and software manufacturers.

A modern firmware standard, UEFI is integral to booting operating systems on modern computers and bridging communication between the hardware and operating system. Tianocore’s EDK II is a prominent open-source realization of UEFI, offering a crucial firmware development environment and is in widespread use.

Researchers said the vulnerabilities revealed Tuesday, collectively dubbed PixieFail, pose significant threats to network security. They potentially allow remote code execution, denial of service attacks, DNS cache poisoning and leakage of sensitive information.

There are nine PixieFail vulnerabilities, covering issues such as buffer overflows, predictable randomization and improper parsing within the NetworkPkg’s IP stack. The flaws enable unauthenticated local attackers and, in some cases, remote attackers to execute a range of malicious activities.

Although the successful exploitation of the PixieFail vulnerabilities could result in denial of service, data leakage and other nefarious activity, to exploit the vulnerable implementation, the attacker requires the PXE boot option to be enabled. That’s a feature that allows a computer to boot up and load an operating system from a network source.

The researchers note that the impact and exploitability of the vulnerabilities depend on the specific firmware build and the default PXE boot configuration. Where it gets interesting is how many companies could be exposed.

Companies that use Tianocore’s EDK II and are confirmed to be affected include American Megatrends Inc., Intel Corp. and Phoenix Technologies Ltd. However, other companies that may also be affected include Arm Holdings plc, Cisco Systems Inc., Dell Technologies Inc., Amazon Web Services Inc., Microsoft Corp., Google LLC, Hewlett Packard Enterprise Co., HP Inc. and Lenovo Group Ltd.

To address the vulnerabilities, the researchers advise a strategy that includes firmware updates and network security enhancements. The first and most obvious step is updating the UEFI firmware. Users should seek the latest stable version that includes fixes for these vulnerabilities, adhering to vendor-specific advisories.

The research notes that this is particularly important for organizations using Tianocore’s EDK II, as they should integrate the most recent version of EDK II into their firmware development. Adjusting UEFI configuration settings for improved security, such as disabling nonessential features and enabling Secure Boot, is also recommended.

On the network security front, those potentially exposed are advised to disable the PXE boot option if it’s not necessary for the organization’s operational environment. If PXE is essential within the business, network isolation should be implemented, restricting the UEFI Preboot environment to specific, secure network segments and shielding them from unauthorized access.

Other advice includes enhancing network defenses against rogue DHCP services through technologies like Dynamic ARP Inspection and DHCP Snooping. Finally, it’s advised that organizations should consider transitioning to secure network boot protocols such as UEFI HTTPS Boot, which offers a more secure alternative to the traditional PXE boot method in environments where these vulnerabilities could be exploited.

Image: DALL-E 3