UEFI security vulnerability appears again, PXE can be used to remotely download malicious firmware and implant backdoor programs

UEFI is the abbreviation of Unified Extensible Firmware Interface. This is a technology commonly used by modern computers. However, once a vulnerability occurs in this underlying technology, it is also very bad, because backdoors implanted through UEFI are not easy to detect or remove. Recently, researchers discovered nine vulnerabilities in the UEFI firmware of five providers. These vulnerabilities are collectively called PixieFail by the researchers. Even users with low permissions can exploit the vulnerabilities to launch attacks.

A successful hacker would be able to install malicious firmware that would run malware before the operating system boots, but this vulnerability mainly affects enterprises and data centers.

IPv6 based PXE boot:

PXE is a method used by enterprises to boot a large number of devices. PXE does not store the operating system on the device. Instead, the system image is stored on the boot server. The terminal device connects to the boot server through PXE to start the operating system.

PXE is specially designed for ease of use, consistency and quality assurance in data centers and cloud environments. IT administrators can use it to batch update, configure, and start operating systems.

The vulnerability that emerged this time is in PXE. When the IPv6 connection has been configured to start the server, the attacker can use the vulnerability to download a malicious firmware image instead of the firmware image configured by the IT administrator.

Once implanted into UEFI, malware can become persistent because conventional security software may not detect that the UEFI is infected, or may be unable to remove it after being detected.

Researchers say:

The attacker does not need physical access to the terminal device and boot server. The attacker only needs to be able to access the network where these systems are running and cooperate with tools to capture data packets, and then inject and transmit them.

Some of these vulnerabilities can be triggered by an attacker sending malicious packets to the client in the request response when the end device boots up.

Disable PXE and IPv6:

An easier way to prevent this vulnerability is to directly disable PXE startup and IPv6. Most home users basically do not use PXE, so they can be disabled directly.

In addition, this vulnerability only affects boot servers connected through IPv6. If an enterprise or data center uses IPv4 connections, it will not be affected.

Fix bug:

Currently, UEFI firmware providers are successively producing new versions of firmware and distributing them to customers. For example, AMI has confirmed that the vulnerability affects the OptioV series firmware and has currently produced a new version of firmware and distributed it to customers.

Other firmware providers are still updating their firmware. Affected firmware providers include: ArmLtd., Insyde, AMI, Phoenix Technologies, and Microsoft.

Microsoft's response:

Microsoft said the company is taking appropriate actions, but it did not disclose the specific content of the actions. At the same time, Microsoft also incorrectly stated that the attacker would also need to establish a malicious server in the corporate intranet, but researchers said that was not required.

Finally, Microsoft also recommends that if you do not use PXE or other protocols, you should disable them. If you want to use them, you should also configure the TLS encryption protocol, which can prevent attackers from performing man-in-the-middle hijacking.