Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of the open source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification, which is widely used in modern computers.
collectively referred to as Elf failed According to Quarkslab’s report, these nine issues exist in the TianoCore EFI Development Kit II (EDK II) and can be exploited to achieve remote code execution, denial of service (DoS), DNS cache poisoning, and sensitive information leakage.
AMI, Intel, Insyde and Phoenix Technologies’ UEFI firmware (which boots the operating system) is affected by these flaws.
EDK II integrates its own TCP/IP stack (called NetworkPkg) to enable networking capabilities during the initial preboot execution environment (PXE, pronounced “pixie”) phase, allowing for the absence of a running operating system. Perform administrative tasks.
In other words, it is a client-server interface that boots a device from its network interface card (NIC) and allows administrators to remotely configure and boot networked computers that do not yet have an operating system loaded.
The PXE code is included as part of the UEFI firmware on the motherboard or in the NIC firmware read-only memory (ROM).
The problems discovered by Quarkslab in EDKII’s NetworkPkg include overflow errors, out-of-bounds reads, infinite loops, and the use of weak pseudo-random number generators (PRNG). These problems can lead to DNS and DHCP poisoning attacks, information leakage, denial of service, IPv4 and data insertion attacks at the IPv6 layer.
The list of defects is as follows –
- CVE-2023-45229 (CVSS Score: 6.5) – Integer underflow when processing IA_NA/IA_TA options in DHCPv6 Advertisement messages
- CVE-2023-45230 (CVSS score: 8.3) – Buffer overflow in DHCPv6 client via long server ID option
- CVE-2023-45231 (CVSS Score: 6.5) – Out-of-bounds read when processing ND redirect message with truncation option
- CVE-2023-45232 (CVSS score: 7.5) – Infinite loop when parsing unknown options in Destination Options header
- CVE-2023-45233 (CVSS score: 7.5) – Infinite loop when parsing PadN options in Destination Options header
- CVE-2023-45234 (CVSS score: 8.3) – Buffer overflow in handling DNS server options in DHCPv6 advertisement messages
- CVE-2023-45235 (CVSS score: 8.3) – Buffer overflow when processing server ID option from DHCPv6 proxy advertisement message
- CVE-2023-45236 (CVSS score: 5.8) – Predictable TCP initial sequence number
- CVE-2023-45237 (CVSS score: 5.3) – Uses a weak pseudo-random number generator
“The impact and exploitability of these vulnerabilities depend on the specific firmware version and default PXE boot configuration,” the CERT Coordination Center (CERT/CC) said in an advisory.
“An attacker within the local network (and in some cases, a remote attacker) can exploit these vulnerabilities to execute remote code, launch a DoS attack, poison the DNS cache, or extract sensitive information.”
