UEFI firmware from five of the leading suppliers contains vulnerabilities that allow attackers with a toehold in a user's network to infect connected devices with malware that runs at the firmware level.
The vulnerabilities, which collectively have been dubbed PixieFail by the researchers who discovered them, pose a threat mostly to public and private data centers and possibly other enterprise settings. People with even minimal access to such a network—say a paying customer, a low-level employee, or an attacker who has already gained limited entry—can exploit the vulnerabilities to infect connected devices with a malicious UEFI.
Short for Unified Extensible Firmware Interface, UEFI is the low-level and complex chain of firmware responsible for booting up virtually every modern computer. By installing malicious firmware that runs prior to the loading of a main OS, UEFI infections can’t be detected or removed using standard endpoint protections. They also give unusually broad control of the infected device.
Five vendors, and many a customer, affected
The nine vulnerabilities that comprise PixieFail reside in TianoCore EDK II, an open source implementation of the UEFI specification. The implementation is incorporated into offerings from Arm Ltd., Insyde, AMI, Phoenix Technologies, and Microsoft.
By exploiting PixieFail, an attacker can cause servers to download a malicious firmware image rather than the intended one. The malicious image in this scenario will establish a permanent beachhead on the device that’s installed prior to the loading of the OS and any security software that would normally flag infections.
https://arstechnica.com/security/2024/01/new-uefi-vulnerabilities-send-firmware-devs-across-an-entire-ecosystem-scrambling/
Dan Goodin /
npub1yy…p6r3v
2024-01-17 17:30:06
Author Public Key
npub1yyl6ktycvjymch9hyzq5yqphj89kalfqmtswcjpjmp7s67ms6g9sdp6r3vPublished at
2024-01-17 17:30:06Event JSON
{
"id": "0f20389537eb3c0293c136900ea6de1efa870b7c387b2d4e47cd2e5810bfb7b2",
"pubkey": "213fab2c986489bc5cb7208142003791cb6efd20dae0ec4832d87d0d7b70d20b",
"created_at": 1705509006,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/dangoodin/statuses/111772238249501530",
"activitypub"
]
],
"content": "UEFI firmware from five of the leading suppliers contains vulnerabilities that allow attackers with a toehold in a user's network to infect connected devices with malware that runs at the firmware level.\n\nThe vulnerabilities, which collectively have been dubbed PixieFail by the researchers who discovered them, pose a threat mostly to public and private data centers and possibly other enterprise settings. People with even minimal access to such a network—say a paying customer, a low-level employee, or an attacker who has already gained limited entry—can exploit the vulnerabilities to infect connected devices with a malicious UEFI.\n\nShort for Unified Extensible Firmware Interface, UEFI is the low-level and complex chain of firmware responsible for booting up virtually every modern computer. By installing malicious firmware that runs prior to the loading of a main OS, UEFI infections can’t be detected or removed using standard endpoint protections. They also give unusually broad control of the infected device.\nFive vendors, and many a customer, affected\n\nThe nine vulnerabilities that comprise PixieFail reside in TianoCore EDK II, an open source implementation of the UEFI specification. The implementation is incorporated into offerings from Arm Ltd., Insyde, AMI, Phoenix Technologies, and Microsoft.\n\nBy exploiting PixieFail, an attacker can cause servers to download a malicious firmware image rather than the intended one. The malicious image in this scenario will establish a permanent beachhead on the device that’s installed prior to the loading of the OS and any security software that would normally flag infections.\n\nhttps://arstechnica.com/security/2024/01/new-uefi-vulnerabilities-send-firmware-devs-across-an-entire-ecosystem-scrambling/",
"sig": "65ecd8b208f0f1f54891b5d16d5e97045a87e9c4f6f0376787cbe78bae1ef18ca0462f63ea96c445db7190020824f96ec2da9d5a97c443b46871f2253d25c6b8"
}