Subject: PSA-2024-00001-1: PixieFAIL EDK2 PXE vulnerabilities
Advisory date: 2024-01-24
Package(s):
- Proxmox VE 7.x:
- Proxmox VE 8.x:
- pve-edk2-firmware-ovmf
- pve-edk2-firmware-legacy
Details:
Nine vulnerabilities in EDK II's reference EFI implementation that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks were identified by researchers at QuarksLab. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking, mainly via IPv6.
EDK II is used in Proxmox VE to provide the UEFI firmware to VM guests. PXE booting is enabled by default as lowest priority boot mechanism.
Fixed:
- pve-edk2-firmware-ovmf 4.2023.08-3 (Proxmox VE 8.x)
- pve-edk2-firmware 4.20230228-4~bpo11+2 (Proxmox VE 7.x)
Not Fixed:
- pve-edk2-firmware-legacy
(Proxmox VE 8.x, static copy of legacy 2 MB firmware files that cannot be build anymore, only used for backwards compatibility)
References:
-
https://blog.quarkslab.com/pixiefai...-in-tianocores-edk-ii-ipv6-network-stack.html
- CVE-2023-45229: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
- CVE-2023-45230: Buffer overflow in the DHCPv6 client via a long Server ID option
- CVE-2023-45231: Out of Bounds read when handling a ND Redirect message with truncated options
- CVE-2023-45232: Infinite loop when parsing unknown options in the Destination Options header
- CVE-2023-45233: Infinite loop when parsing a PadN option in the Destination Options header
- CVE-2023-45234: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
- CVE-2023-45235: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
- CVE-2023-45236: Predictable TCP Initial Sequence Numbers
- CVE-2023-45237: Use of a Weak PseudoRandom Number Generator