UEFI firmware from top manufacturers has some serious issues

News
By Sead Fadilpašić
published

There's a way to install malware on hundreds of servers at once

Malware Magnifying Glass
Image Credit: Shutterstock (Image credit: Andriano.cz / Shutterstock)

The Unified Extensible Firmware Interface (UEFI), a set of routines that boot an operating system, carries almost a dozen vulnerabilities which, when chained together, can be used to deploy malware at firmware level. 

This is according to a new report from Quarkslab, who detailed the flaws, and a proof-of-concept solution. 

The flaws were found in functions related to IPv6 and can be exploited in the Preboot Execution Environment (PXE), when configured to use IPv6. As the environment is often dubbed Pixieboot, the researchers named the vulnerability PixieFail. Pixieboot, as ArsTechnica explains, is a mechanism usually used by enterprises to boot up large numbers of devices, such as servers. In such scenarios, the OS is not located on the endpoint itself, but rather on a central server. The devices that are booting up use the Dynamic Host Configuration Protocol to look for the server and then request the OS image. 

Patches in the works

In theory, if a person has even the slightest access to the target network (such as a low-level employee, a customer with a cloud account, or a hacker with pre-installed malware or access to customer accounts), they can use it to get the endpoints to download a malicious firmware image instead of the clean one.

The vulnerabilities are tracked as CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234,  CVE-2023-45235, CVE-2023-45235, CVE-2023-45236, and CVE-2023-45237.

Arm, AMI, Insyde, Phoenix Technologies, and Microsoft, were all said to be vulnerable to PixieFail. The makers are currently pushing updates to their customers, ArsTechnica added, saying that some have already released their patches. AMI, for example, has released a patch, while Microsoft is currently “taking appropriate action”. 

Other manufacturers, including Arm, Insyde, and Phoenix, are yet to make a statement. 

While this vulnerability seems to be affecting corporate users most, some researchers are saying that even private users and regular consumers should patch up the flaw as soon as the fixes become available.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.