Researchers from cyber security vendor Quarkslab are warning of a total of nine vulnerabilities in the TianoCore EDK II, the open source reference UEFI implementation first authored by Intel.
The company is warning the bugs “can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks.”
“The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking,” the researchers said.
Proof-of-concept code published by Quarkslab should help produce detection signatures for the vulnerabilities.
According to the Carnegie Mellon CERT Coordination Centre (CERT-CC), the bug has been identified in implementations from American Megatrends, Insyde Software, Intel, and Phoenix Technologies; while Toshiba is not affected.
Insyde Software, AMI, and Phoenix Technologies have all told Quarkslab they are shipping fixes.
The bug is still under investigation by another 18 vendors, including major names like Google, HP, Microsoft, ARM, ASUSTek, Cisco, Dell, Lenovo, and VAIO.
Impacts of the vulnerabilities include “remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information,” CERT-CC said.
The bugs are in EDK II’s TCP/IP stack, NetworkPkg, which is used for network boot and is particularly important in data centres and HPC environments to automate early boot phases.
The most serious three bugs. all with CVSS scores of 8.3 are DCHPv6 processing buffer overruns: CVE-2023-45230, CVE-2023-45234, and CVE-2023-45235.
The other bugs are CVE-2023-45229 (CVSS score 6.5), CVE-2023-45231 (CVSS score 6.5), CVE-2023-45232 (CVSS score 7.5), CVE-2023-45233 (CVSS score 7.5), CVE-2023-45236 (CVSS score 5.8) and CVE-2023-45237 (CVSS score 5.3).