this post was submitted on 19 Jan 2024

247 points (99.2% liked)

Technology

68639 readers

5915 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

L4s@hackingne.ws

247

New UEFI vulnerabilities send firmware devs industry wide scrambling (arstechnica.com)

submitted 1 year ago by leo@lemmy.linuxuserspace.show to c/technology@lemmy.world

41 comments fedilink hide all child comments

all 43 comments

sorted by: hot top controversial new old

[–] Supermariofan67@programming.dev 89 points 1 year ago (1 children)

Not at all surprised, motherboard firmware from most vendors has always been a steaming pile of shit code, often not even built to spec.

[–] AnarchoSnowPlow@midwest.social 63 points 1 year ago

Who could have predicted bootloader drm wouldn't go well?

[–] A_A@lemmy.world 21 points 1 year ago* (last edited 1 year ago) (1 children)

Short for Unified Extensible Firmware Interface, UEFI is the low-level and complex chain of firmware responsible for booting up virtually every modern computer.
The flaws reside in functions related to IPv6, the successor to the IPv4 Internet Protocol network address system. They can be exploited in what’s known as the PXE, or Preboot Execution Environment, when it’s configured to use IPv6.

and : https://en.m.wikipedia.org/wiki/UEFI

... UEFI (Unified Extensible Firmware Interface) replaces the BIOS (Basic Input Output Software) which was present in the boot ROM (Read Only Memory) of all personal computers ...

[+] BearOfaTime@lemm.ee -23 points 1 year ago (5 children)

When does a machine ever need IP6?

[–] Treczoks@lemmy.world 24 points 1 year ago (1 children)

When it is running in a modern, I.e. IPV6 network?

[–] Supermariofan67@programming.dev 21 points 1 year ago (1 children)

A lot of the world, especially Africa and south America, was somewhat later in adopting the Internet and has a much smaller supply of IPv4 addresses. People with ISPs there need IPv6 to be directly connectable without CGNAT

[–] ryannathans@aussie.zone 20 points 1 year ago (2 children)

Ipv6 is the replacement for ipv4. There now exist networks without ipv4

[–] KairuByte@lemmy.dbzer0.com 14 points 1 year ago (2 children)

To expand on this, we have functionally ran out of IPv4 addresses. Meaning IPv6 addresses are required.

[–] ryannathans@aussie.zone 12 points 1 year ago (2 children)

Not only that, but ipv6 makes networking easier and less complicated. No longer, needing port forwarding or NAT, amongst other improvements

[–] Blackmist@lemmy.world 2 points 1 year ago (1 children)

It's that necessarily a good thing?

I remember suddenly needing a firewall on my PC back in the days of the Blaster worm.

Do we really want all those crappy IoT devices open on all ports to the general internet?

[–] ryannathans@aussie.zone 8 points 1 year ago

NAT is not security. We aren't talking about replacing friewalls.

[+] Plopp@lemmy.world -8 points 1 year ago (1 children)

I'd be fucked if I had to deal with IPv6 at home. Give me NAT, port forwarding and a dynamic public address that changes.

[–] ryannathans@aussie.zone 4 points 1 year ago (1 children)

Slaac does everything for you. You get dynamic public addresses that change (you can disable if you please). Nothing to deal with, just open a firewall port if you want to receive traffic

[–] Plopp@lemmy.world 0 points 1 year ago (2 children)

I want static addresses on my LAN, and addresses I can remember and easily recognize in a list. And I don't want my devices to have unique addresses outside my LAN, especially not static ones. NAT is great.

[–] p1mrx@sh.itjust.works 2 points 1 year ago (1 children)

You can statically number a LAN with fd00::/8 and NAT66 to the internet, if you really want to.

[–] ryannathans@aussie.zone 1 points 1 year ago (1 children)

Heck you could set up a ULA or just use a range from your assigned prefix

[–] Plopp@lemmy.world 1 points 1 year ago (2 children)

See, what both of you wrote is completely alien and confusing to me. The look of IPv6 gives me an aneurysm. Let me keep my IPv4. You can run IPv6 on your own LAN. I'm not stopping you.

[–] p1mrx@sh.itjust.works 1 points 1 year ago

Roughly speaking, fd00::123 is the IPv6 equivalent of 192.168.0.123

[–] ryannathans@aussie.zone 1 points 1 year ago* (last edited 1 year ago) (1 children)

It's a little bit unfamiliar, not the end of the world. It's not complicated and not as nuanced as ipv4 networking. No dhcp necessary anymore on your local network, how good is that? No more trying to hardcode MTU, no strict/open/hairpin/fullcone/etc NAT issues because no NAT, no port forwarding, no fear of IP collisions, less overhead, freedom of many public addresses per interface - host each app on its own public IP address if you desire. Ipv4 over ipv6 is part of the spec so you would never lose ipv4 connectivity. I could go on

[–] Plopp@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Oh I'm sure you can do heaps more with IPv6. And that's great. I'm just saying to me it's super complicated because I have to learn everything from scratch, and again those horrendous long and complicated hex addresses. If I can live my whole life without ever having to type or trying to remember an IPv6 address I'll be a happy guy. IPv4 is super clean and easy at least on the level I'm using it. Those negative things you mention, I've never had to deal with any of that. Except port forwarding, but that's easy and honestly I kinda like how that works for some reason.

But sure, you mention some pretty cool things there with IPv6 that could perhaps come in handy even for me at some point when I start doing more advanced things on my network. So I'll keep that in mind for when that happens. And also, I guess I probably should learn more about IPv6 just to have the knowledge for when I might need it, wherever that may be. But ugh... lol

[–] ryannathans@aussie.zone 1 points 1 year ago (1 children)

Nothing stops you doing that with ipv6. NAT is complicated and unnecessary.

[–] Plopp@lemmy.world 1 points 1 year ago (1 children)

My brain stops me from remembering and recognizing IPv6 addresses. I can't deal with long strings of hex. And why are people so against me running IPv4 on my own LAN? Do I make you sad? Do I ruin your day? I love IPv4, and NAT works perfectly fine for me. I'm not doing the translation, my router is.

[–] ryannathans@aussie.zone 1 points 1 year ago (1 children)

You don't need to have long addresses, you should be using hostnames and domains anyway. Ipv6 addresses are often simpler than ipv4 ones. E.g. prefix::1 for your router. Prefix::2 for the next device, and so on to Prefix::FFFF for the first 65k machines if you wish to set it up that way. Ipv4 exclusively on your lan ruins my day because I have to maintain servers and software to support users that only use ipv4 and flat out refuse ipv6 connectivity - it's expensive and takes a lot of effort to maintain dual stack support.

[–] Plopp@lemmy.world 1 points 1 year ago

Most of the time I do use hostnames, but it doesn't matter what I use as a user if I have a list of addresses I have to look through in log files, or enter addresses for configuration or whatever. My brain works on IPv4. I'm sorry for ruining your day, but I assume, or at least hope, that you get paid for the work. I do not and I have more important and pressing things to do than learn IPv6 and reconfigure my whole network.

[–] thanevim@kbin.social 13 points 1 year ago (1 children)

PXE, or network boot. It is basically never used (and rarely enabled, if ever, by default) by the individual, but can be helpful in, for example, a large scale OS deployment. Say IT has to get their corporate image version of Windows 10/11 installed on 30 new laptops. They could write a ton of flash drives, but it'd be easier to just host a PXE boot server and every laptop just listen to them.

V6 specifically in that instance would just be for the reason of "we need to move away from v4 anyways"

[–] BearOfaTime@lemm.ee -2 points 1 year ago (1 children)

PXE works on ipv4, did gobs of it over the years.

[–] corsicanguppy@lemmy.ca 3 points 1 year ago

whoosh

[–] BKXcY86CHs2k8Coz@sh.itjust.works 3 points 1 year ago

Running matter/thread for safer IoT

[–] autotldr@lemmings.world 11 points 1 year ago

This is the best summary I could come up with:

The vulnerabilities, which collectively have been dubbed PixieFail by the researchers who discovered them, pose a threat mostly to public and private data centers and possibly other enterprise settings.

People with even minimal access to such a network—say a paying customer, a low-level employee, or an attacker who has already gained limited entry—can exploit the vulnerabilities to infect connected devices with a malicious UEFI.

By installing malicious firmware that runs prior to the loading of a main OS, UEFI infections can’t be detected or removed using standard endpoint protections.

The malicious image in this scenario will establish a permanent beachhead on the device that’s installed prior to the loading of the OS and any security software that would normally flag infections.

This kind of access may be possible when someone has a legitimate account with a cloud service or after first exploiting a separate vulnerability that gives limited system rights.

When the client-{based server] boots, the attacker just needs to send the client a malicious packet in the [request] response that will trigger some of these vulns.

The original article contains 703 words, the summary contains 177 words. Saved 75%. I'm a bot and I'm open source!

[–] c0mbatbag3l@lemmy.world 2 points 1 year ago

"See?? I knew our project to transition to IPv6 was a security issue." -Network