A series of 'big guys' have security holes because of the popularity of UEFI

According to ITNews , Quarkslab warned that these security vulnerabilities can be exploited by unauthenticated remote attackers on the same local network, and in some cases, even remotely. The researchers said the impacts of these vulnerabilities include DDoS, information leakage, remote code execution, DNS cache poisoning, and network session hijacking.

The CERT Cybersecurity Coordination Center at Carnegie Mellon University (USA) said that this error was identified in the implementation process from UEFI vendors, including American Megatrends, Insyde Software, Intel and Phoenix Technologies, while Toshiba was not affected.

Insyde Software, AMI, and Phoenix Technologies have all confirmed to Quarkslab that they are providing fixes. Meanwhile, the bug is still being investigated by 18 other vendors, including big names like Google, HP, Microsoft, ARM, ASUSTek, Cisco, Dell, Lenovo, and VAIO.

The bugs reside in EDK II's TCP/IP stack, NetworkPkg, which is used for network booting and is especially important in data centers and HPC environments for automating early boot phases. The three most severe bugs, all with CVSS scores of 8.3, are related to DCHPv6 handle buffer overflows, including CVE-2023-45230, CVE-2023-45234, and CVE-2023-45235. The other bugs have CVSS scores ranging from 5.3 to 7.5.