New UEFI vulnerabilities send firmware devs industry wide scrambling - eviltoast
  • Supermariofan67@programming.dev
    link
    fedilink
    English
    arrow-up
    89
    ·
    10 months ago

    Not at all surprised, motherboard firmware from most vendors has always been a steaming pile of shit code, often not even built to spec.

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      47
      arrow-down
      1
      ·
      10 months ago

      The nine vulnerabilities that comprise PixieFail reside in TianoCore EDK II, an open source implementation of the UEFI specification. The implementation is incorporated into offerings from Arm Ltd., Insyde, AMI, Phoenix Technologies, and Microsoft. The flaws reside in functions related to IPv6, the successor to the IPv4 Internet Protocol network address system. They can be exploited in what’s known as the PXE, or Preboot Execution Environment, when it’s configured to use IPv6.

      Not all hardware manufacturers are effected and it’s based on a specific open source implementation of UEFI.

      • xan1242@lemmy.ml
        link
        fedilink
        English
        arrow-up
        14
        ·
        10 months ago

        Aren’t AMI, Insyde and Phoenix providers for 98% of PC (be it board or OEM) vendors though?

        And AFAIR, TianoCore is basically used everywhere by everyone as a base except maybe Apple.

        • Snot Flickerman@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          10 months ago

          You may be right, I didn’t think those three were that much of the market, but maybe I’m wrong.

          I thought Tiano was a reference UEFI developed by Intel? So I’m not entirely sure its used by AMD, but maybe it is?

          EDK and EDK II are open source projects that spun off of that reference developed by Intel.

          I suppose the main thing I was trying to get across is that OP seemed to be blaming motherboard manufacturers for bad code… but this is the base open source code that is causing the issues, prior to implementation by motherboard manufacturers. Hence why it impacts so many.

          • xan1242@lemmy.ml
            link
            fedilink
            English
            arrow-up
            5
            ·
            10 months ago

            I am pretty sure TianoCore is also used by AMD systems as a reference as well.

            Here’s a similar situation that happened in 2019 at Lenovo’s site

            https://support.lenovo.com/cl/es/solutions/LEN-22660

            AMD systems are listed as well.

            As for most board vendors nowadays, I think they barely do anything with the code itself and just create the setup utility and boot logos. It is highly likely that they’re affected too.

  • A_A@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    1
    ·
    edit-2
    10 months ago

    Short for Unified Extensible Firmware Interface, UEFI is the low-level and complex chain of firmware responsible for booting up virtually every modern computer.
    The flaws reside in functions related to IPv6, the successor to the IPv4 Internet Protocol network address system. They can be exploited in what’s known as the PXE, or Preboot Execution Environment, when it’s configured to use IPv6.

    and : https://en.m.wikipedia.org/wiki/UEFI

    … UEFI (Unified Extensible Firmware Interface) replaces the BIOS (Basic Input Output Software) which was present in the boot ROM (Read Only Memory) of all personal computers …

          • FrederikNJS@lemm.ee
            link
            fedilink
            English
            arrow-up
            6
            ·
            10 months ago

            Because there’s no such thing as private address spaces in IPv6.

            If your ISP is IPv6 only, then you need to enable IPv6 for your local network too, which means that every device on your network gets an IPv6 address.

            You can still have a private IPv4 as well, but if your remove the IPv6 support, then you lose access too the Internet.

          • Supermariofan67@programming.dev
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            10 months ago

            When you want the private network to connect to a public IPv6 network. Most people connect their LANs to the public Internet

          • ryannathans@aussie.zone
            link
            fedilink
            English
            arrow-up
            12
            ·
            10 months ago

            Not only that, but ipv6 makes networking easier and less complicated. No longer, needing port forwarding or NAT, amongst other improvements

            • Blackmist@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              3
              ·
              10 months ago

              It’s that necessarily a good thing?

              I remember suddenly needing a firewall on my PC back in the days of the Blaster worm.

              Do we really want all those crappy IoT devices open on all ports to the general internet?

            • Plopp@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              12
              ·
              10 months ago

              I’d be fucked if I had to deal with IPv6 at home. Give me NAT, port forwarding and a dynamic public address that changes.

              • ryannathans@aussie.zone
                link
                fedilink
                English
                arrow-up
                4
                ·
                10 months ago

                Slaac does everything for you. You get dynamic public addresses that change (you can disable if you please). Nothing to deal with, just open a firewall port if you want to receive traffic

                • Plopp@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  2
                  ·
                  10 months ago

                  I want static addresses on my LAN, and addresses I can remember and easily recognize in a list. And I don’t want my devices to have unique addresses outside my LAN, especially not static ones. NAT is great.

        • BearOfaTime@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          15
          ·
          edit-2
          10 months ago

          No shit.

          But a private Lan will never need it.

          There are 4 billion+ possible IP v4 addresses, nearly 600 million in the current private range.

          Show me a private network with 600 million devices.

          There’s no reason a device that doesn’t have a direct internet connection needs IP6.

          • Nighed@sffa.community
            link
            fedilink
            English
            arrow-up
            8
            ·
            edit-2
            10 months ago

            Ideally, using just IP6 would be simpler, as every device gets a global address. Then you don’t need to mess with NAT, port forwarding and all that bullshit. Every device having multiple addresses just complicates things.

          • p1mrx@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            A device on your private IPv4 network can send packets directly to 104.21.36.127 via NAT. How will it send packets to 2606:4700:3033::6815:247f? There’s not enough space in the IPv4 header.

      • Supermariofan67@programming.dev
        link
        fedilink
        English
        arrow-up
        21
        ·
        10 months ago

        A lot of the world, especially Africa and south America, was somewhat later in adopting the Internet and has a much smaller supply of IPv4 addresses. People with ISPs there need IPv6 to be directly connectable without CGNAT

      • thanevim@kbin.social
        link
        fedilink
        arrow-up
        13
        ·
        10 months ago

        PXE, or network boot. It is basically never used (and rarely enabled, if ever, by default) by the individual, but can be helpful in, for example, a large scale OS deployment. Say IT has to get their corporate image version of Windows 10/11 installed on 30 new laptops. They could write a ton of flash drives, but it’d be easier to just host a PXE boot server and every laptop just listen to them.

        V6 specifically in that instance would just be for the reason of “we need to move away from v4 anyways”

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    11
    ·
    10 months ago

    This is the best summary I could come up with:


    The vulnerabilities, which collectively have been dubbed PixieFail by the researchers who discovered them, pose a threat mostly to public and private data centers and possibly other enterprise settings.

    People with even minimal access to such a network—say a paying customer, a low-level employee, or an attacker who has already gained limited entry—can exploit the vulnerabilities to infect connected devices with a malicious UEFI.

    By installing malicious firmware that runs prior to the loading of a main OS, UEFI infections can’t be detected or removed using standard endpoint protections.

    The malicious image in this scenario will establish a permanent beachhead on the device that’s installed prior to the loading of the OS and any security software that would normally flag infections.

    This kind of access may be possible when someone has a legitimate account with a cloud service or after first exploiting a separate vulnerability that gives limited system rights.

    When the client-{based server] boots, the attacker just needs to send the client a malicious packet in the [request] response that will trigger some of these vulns.


    The original article contains 703 words, the summary contains 177 words. Saved 75%. I’m a bot and I’m open source!