wikiSafety instructions for IPv6 PixieFail
In January 2024, a series of security vulnerabilities were published, which the discoverers at Quarkslab refer to as PixieFail.[1] The nine vulnerabilities, that are called Pixiefail, affect the PXE network boot process via IPv6.
Affected systems
Vulnerabilities of PixieFail:
- CVE-2023-45229 Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
- CVE-2023-45230 Buffer overflow in the DHCPv6 client via a long Server ID option
- CVE-2023-45231 Out of Bounds read when handling a ND Redirect message with truncated options
- CVE-2023-45232 Infinite loop when parsing unknown options in the Destination Options header
- CVE-2023-45233 Infinite loop when parsing a PadN option in the Destination Options header
- CVE-2023-45234 Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
- CVE-2023-45235 Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
- CVE-2023-45236 Predictable TCP Initial Sequence Numbers
- CVE-2023-45237 Use of a Weak PseudoRandom Number Generator
Solution for the problem
The manufacturers have already released versions to eliminate the security vulnerabilities. These can be installed via BIOS update.
Supermicro and AMI have published a Security Bulletin about security vulnerabilities. Supermicro also provides a list of BIOS versions for each motherboard generation to close the gaps:[2][3]
| motherboard generation | BIOS version | motherboard generation | BIOS version |
|---|---|---|---|
| X12-Tatlow | 1.8 | A2-Denverton | 1.9a |
| X12/C9-Rocketlake | 1.5a | H11-Naples/Rome | 2.9 |
| X12-Idaville | 1.7 | H12-Rome/Milan | 2.8 |
| X12-TigerLake | 1.6 | H13-Genoa | 1.7 |
| X12-Whitley | 1.9 | H13-Siena | TBD |
| X12-CedarIsland | 1.9 | R12 ARM | 1.2 |
| X11-Bakerville | 2.1 | ||
| X11-Purley | 4.3 | ||
| X11-Whiskeylake-U | 2.1 | ||
| X11-Mehlow_Server | 2.3 | ||
| X11-Mehlow_Workstation | 2.4 | ||
| A3-Jacobsville | 1.3 | ||
| A3-ElkHart Lake | 1.6 |
Updates for products of Thomas-Krenn
BIOS updates with the corresponding versions can be found in the download area or on the website of the manufacturer.
More information
- Vulnerability Alert: Nine PixieFail UEFI Vulnerabilities Threaten the Firmware Supply Chain (https://www.spiceworks.com 19.01.2024)
- PixieFail UEFI Flaws Exposes Computers to RCE, DoS, and Data Theft (https://thehackernews.com/ 18.01.2024)
- Critical PixieFail vulnerabilities lead to RCE and DoS attacks (https://tuxcare.com/ 15.02.2024)
References
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
