Researchers have discovered vulnerabilities in UEFI firmware from five major suppliers, which allow attackers to infect connected devices with malware that runs at the firmware level. The vulnerabilities, collectively known as PixieFail, present a significant threat to public and private data centers and their users. Even individuals with minimal network access, such as paying customers or low-level employees, can exploit these vulnerabilities to install malicious firmware that is undetectable by standard endpoint protections. This gives the attacker broad control over the infected device.
These vulnerabilities are found in TianoCore EDK II, an open-source implementation of the UEFI specification. The affected suppliers include Arm Ltd., Insyde, AMI, Phoenix Technologies, and Microsoft. The flaws specifically target functions related to IPv6, the successor to the IPv4 Internet Protocol network address system. The vulnerabilities can be exploited when the Preboot Execution Environment (PXE) is configured to use IPv6.
Enterprises commonly use PXE, also known as Pixieboot or netboot, to boot up large numbers of devices, particularly servers in data centers. Instead of storing the operating system on each device, PXE retrieves the OS image from a central server. This mechanism offers convenience, uniformity, and quality assurance for data centers and cloud environments. However, exploiting the PixieFail vulnerabilities allows an attacker to manipulate the boot process and download a malicious firmware image instead of the intended one.
The vulnerabilities and associated proof-of-concept code were discovered by researchers from Quarkslab, a cybersecurity firm. They found that an attacker with access to the network—without requiring physical access to the client or boot server—can capture and inject packets to trigger the vulnerabilities. The network presence needed to exploit these vulnerabilities is relatively minor, enabling attackers with legitimate accounts or those with limited system rights to plant a UEFI-controlled backdoor in large server fleets.
According to Iván Arce, Chief Research Officer at Quarkslab, PXE must be turned on and configured to use IPv6 routing for PixieFail to be exploited. This configuration is typically only used in data centers and cloud environments when rebooting a substantial number of servers.
Overall, the PixieFail vulnerabilities pose a significant risk to data centers and their users. The ability for attackers to infect connected devices with malicious firmware at the firmware level allows for undetectable and persistent compromise. System administrators are urged to update their firmware and implement strong security measures to mitigate the threat.