search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Vulnerabilities in EDK2 NetworkPkg IP stack implementation.

Vulnerability Note VU#132380

Original Release Date: 2024-01-16 | Last Revised: 2024-02-21

Overview

Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of Unified Extensible Firmware Interface (UEFI). Researchers at Quarkslab have identified a total of 9 vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information. Quarkslab have labeled these set of related vulnerabilities as PixieFail.

Description

UEFI represents a contemporary firmware standard pivotal in initiating the operating system on modern computers and in facilitating communication between the hardware and OS. TianoCore's EDKII stands as an open-source implementation adhering to UEFI and UEFI Platform Initialization (PI) specifications, offering an essential firmware development environment across platforms. Within EDKII, the NetworkPkg software encompasses a TCP/IP stack, enabling crucial network functionalities available during the initial Preboot eXecution Environment (PXE) stages. The PXE environment, when enabled, allows machines to boot via network connectivity, eliminating the need for physical interaction or keyboard access. Typically employed in larger data centers, PXE is vital for automating early boot phases, particularly in high-performance computing (HPC) environments.

Quarkslab researchers have discovered several vulnerabilities within the EDKII's NetworkPkg IP stack, introduce due to classic issues like buffer overflow, predictable randomization, and improper parsing. These vulnerabilities pose risks, allowing unauthenticated local attackers (and in certain scenarios, remotely) to execute various attacks. Successful exploits can result in denial of service, leakage of sensitive data, remote code execution, DNS cache poisoning, and network session hijacking. To successfully exploit this vulnerable NetworkPkg implementation, the attacker requires the PXE boot option to be enabled.

Tianocore's EDKII is used as a reference code or adopted as-is by many vendors for their UEFI implementation and distributed via supply-chain to other vendors in the PC market. Due to the widespread use of these libraries, these vulnerabilities may be present in a large number of implementations. We recommend users consult vendor specific advisory and details that will help resolve these issues.

Impact

The impact and exploitability of these vulnerabilities depend on the specific firmware build and the default PXE boot configuration. An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.

Solution

Apply updates

Update to the latest stable version of UEFI firmware that includes fixes to these vulnerabilities. Please follow the advisory and any details provided by your vendor as part of this advisory. Downstream users of Tianocore EDKII that incorporate NetworkPkg should update to the latest version provided by Tianocore project. Please follow any vendor provided recommended configurations that can limit the exposure of these vulnerabilities as suitable to your environment.

Enforce network security

In operations environments, you may consider the following workarounds to prevent exposure and potential exploitation of these vulnerabilities * Disable PXE boot if it is not used or supported in your computing environment. * Enforce Network Isolation so the UEFI Preboot environment is available to specific network that is protected from unauthorized access. * Deploy available protection to your computing environment from rogue DHCP services using capabilities such as Dynamic ARP inspection and DHCP snooping.

Employ secure OS deployments

Follow security best practices in design of the preboot environment that provide OS deployment capabilities to your organization. UEFI supply-chain vendors should also consider migration to modern network boot environments that employ secure protocols such as UEFI HTTPS Boot that can limit abuse of the legacy PXE boot related security issues.

Acknowledgements

Thanks to the Quarkslab for researching and reporting these vulnerabilities and support coordinated disclosure.

This document was written by Vijay Sarvepalli.

Vendor Information

132380
 

American Megatrends Incorporated (AMI) Affected

Notified:  2023-08-03 Updated: 2024-02-21

Statement Date:   January 09, 2024

CVE-2023-45229 Affected
CVE-2023-45230 Affected
CVE-2023-45231 Affected
CVE-2023-45232 Affected
CVE-2023-45233 Affected
CVE-2023-45234 Affected
CVE-2023-45235 Affected
CVE-2023-45236 Affected
CVE-2023-45237 Affected

Vendor Statement

AMI has advised on remediations and other updates for these 9 issues to downstream partners (AMI customers).

For a better understanding, the high-level stages of the advisory process that an AMI customer paticipates in is as follows - [Vuln Sighting]->[NDA advisory and fixes to downstream partners]->[Supply Chain Integration]->[Public Advisory] More info here: https://www.ami.com/security-center/

Insyde Software Corporation Affected

Notified:  2023-08-03 Updated: 2024-01-16

Statement Date:   December 06, 2023

CVE-2023-45229 Affected
CVE-2023-45230 Affected
CVE-2023-45231 Affected
CVE-2023-45232 Affected
CVE-2023-45233 Affected
CVE-2023-45234 Affected
CVE-2023-45235 Affected
CVE-2023-45236 Affected
CVE-2023-45237 Affected

Vendor Statement

Insyde has provided updates based on the upstream EDK2 patches for all issues to our customers except CVE-2023-45326 and CVE-2023-45327. We are waiting for consensus in the EDK2 project before creating patches for these lower-priority issues which do not seriously impact booting from signed OS images, which is the primary use case.

Intel Affected

Notified:  2023-08-03 Updated: 2024-01-18

Statement Date:   January 18, 2024

CVE-2023-45229 Affected
CVE-2023-45230 Affected
CVE-2023-45231 Affected
CVE-2023-45232 Affected
CVE-2023-45233 Affected
CVE-2023-45234 Affected
CVE-2023-45235 Affected
CVE-2023-45236 Affected
CVE-2023-45237 Affected

Vendor Statement

Updates for affected Intel products are pending.

Phoenix Technologies Affected

Notified:  2023-08-03 Updated: 2024-01-16

CVE-2023-45229 Affected
CVE-2023-45230 Affected
CVE-2023-45231 Affected
CVE-2023-45232 Affected
CVE-2023-45233 Affected
CVE-2023-45234 Affected
CVE-2023-45235 Affected
CVE-2023-45236 Affected
CVE-2023-45237 Affected

Vendor Statement

We have not received a statement from the vendor.

Toshiba Corporation Not Affected

Notified:  2023-08-14 Updated: 2024-01-16

Statement Date:   September 11, 2023

CVE-2023-45229 Not Affected
CVE-2023-45230 Not Affected
CVE-2023-45231 Not Affected
CVE-2023-45232 Not Affected
CVE-2023-45233 Not Affected
CVE-2023-45234 Not Affected
CVE-2023-45235 Not Affected
CVE-2023-45236 Not Affected
CVE-2023-45237 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Fujitsu_Europe Unknown

Notified:  2023-08-14 Updated: 2024-01-31

Statement Date:   January 31, 2024

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

Fujitsu is aware of the vulnerabilities in AMI and Insyde firmware (AMI Aptio V, Insyde InsydeH2O UEFI-BIOS) known as "PixieFail".

The affection state of Fujitsu CCD (Client Computing Device) and Fujitsu SERVER devices is still under investigation.

The Fujitsu PSIRT (Europe) released FJ-ISS-2023-112100 on https://security.ts.fujitsu.com (Security Notices) accordingly; see https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2023-112100-Security-Notice.pdf

In case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Europe) (Fujitsu-PSIRT@ts.fujitsu.com).

Microsoft Unknown

Notified:  2023-08-14 Updated: 2024-01-16

Statement Date:   December 08, 2023

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Acer Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

ARM Limited Unknown

Notified:  2023-08-03 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cisco Unknown

Notified:  2023-12-04 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Gamma Tech Computer Corp. Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

GETAC Inc. Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2023-08-03 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

ReactOS Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

Star Labs Online Limited Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

TianoCore EDK2 Unknown

Notified:  2023-08-03 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

VAIO Corporation Unknown

Notified:  2023-08-14 Updated: 2024-01-16

CVE-2023-45229 Unknown
CVE-2023-45230 Unknown
CVE-2023-45231 Unknown
CVE-2023-45232 Unknown
CVE-2023-45233 Unknown
CVE-2023-45234 Unknown
CVE-2023-45235 Unknown
CVE-2023-45236 Unknown
CVE-2023-45237 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 23 vendors View less vendors


Other Information

CVE IDs: CVE-2023-45229 CVE-2023-45230 CVE-2023-45231 CVE-2023-45232 CVE-2023-45233 CVE-2023-45234 CVE-2023-45235 CVE-2023-45236 CVE-2023-45237
API URL: VINCE JSON | CSAF
Date Public: 2024-01-16
Date First Published: 2024-01-16
Date Last Updated: 2024-02-21 15:36 UTC
Document Revision: 6

Sponsored by CISA.