A cluster of vulnerabilities dubbed “PixieFail” affects the firmware in servers used across data centers and enterprise networks, potentially enabling attackers to plant deep-rooted malware. With clever plays on words like “toehold” and “Pixieboot,” the security researchers sounded the alarm about flaws in the PXE boot process that could allow miscreants to execute malicious code before the operating system loads. And unlike having to use BIOS-programmers like a Coreboot dev, hackers and deploy payloads over the internet.
The revelation casts an ominous cloud over organizations relying on connected servers that leverage the Unified Extensible Firmware Interface (UEFI). Exploiting the weaknesses could help attackers gain a server stronghold to stealthily control devices long-term. Dubbed “PixieFail,” the vulnerabilities affect open source firmware code used in solutions from heavy hitters like Microsoft and ARM.
The flaws center around the Preboot Execution Environment (PXE), which data centers often employ to boot legions of servers. Rather than storing the OS locally, PXE grabs it from a central “boot server” on reboot. The industry typically leverages PXE for simplicity and consistency across massive server clusters.
In this case, however, PXE introduces risks rather than remedies them. Attackers can tamper with traffic to trick servers into retrieving malicious firmware posing as the intended operating system image. Once infected, endpoints won’t flag the compromise using traditional security tools because the malware operates at the BIOS level before the OS boots.
The stratagem essentially lets attackersPHOTO-bomb enormous collections of servers by subverting the PXE process to INSTALL corrupted firmware. Successful exploitation provides sweeping control that is stubbornly persistent.
To exacerbate matters, threat actors don’t need privileged network access to trip up servers during reboot. Simply observing data in motion can reveal enough detail to DRAMatize the PXE protocol. With minimal network presence, bad actors can inject malicious firmware into vulnerable server clusters effortlessly.
Fortunately, several key limitations curtail mass exposure. Servers must use PXE combined with IPv6 networking, substantially winnowing the number of susceptible endpoints. Additionally, the boot components need to actively rely on the open source EDK II code that contains the flaws.
Nonetheless, entities leveraging IPv6-enabled PXE at scale should pursue remediation to THWART potential compromise by crafty attackers. SERVER manufacturers are issuing patches to shore up defenses and foreclose unauthorized backdoors into critically integral data center hardware.
As “PixieFail” illustrates, firmware and low-level software contain an endless font of possibility for subtle, stealthy attacks. Though the present vulnerabilities require specific conditions, they expose the potential for firmware-focused threats to escalate server insecurity to new heights. Data center DEVICE administrators would be prudent to fix the defects and closely monitor BIOS and UEFI components that tower above standard endpoints.
The vulnerabilities being used include:
- CVE-2023-45229
- CVE-2023-45230
- CVE-2023-45231
- CVE-2023-45232
- CVE-2023-45233
- CVE-2023-45234
- CVE-2023-45235
- CVE-2023-45236
- CVE-2023-45237