Vulnerability in HPE Integrated Lights-out 2, 3, 4

Posted on 2018-02-27 by guenni

[German]Another addendum for people who use HPE Integrated Lights-Out 2,3,4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC from HP Enterprise. There is a potential vulnerability in these products.

Advertising

Does anyone of you use the Integrated Lights-out for HP client servers management software? At the beginning of February 2018, it was announced that HPE Integrated Lights-Out 2,3,4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC had a potential vulnerability CVE-2013-4786. The information can be found on seclist.org and HP has published this Security Bulletin.

Vulnerability affects the following products

A potential vulnerability has been identified in HPE Integrated Lights-Out 2,3,4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC. The vulnerability could be exploited to give an attacker the ability to gain unauthorized privileges and access to privileged information. The following products are affected:

  • HPE Superdome Flex Server 1.0
  • HPE Integrated Lights-Out 4 (iLO 4) Firmware for ProLiant Gen8 Servers – All, when IPMI is enabled
  • HPE Integrated Lights-Out 3 (iLO 3) Firmware for ProLiant G7 Servers – All, when IPMI is enabled
  • HPE Integrated Lights-Out 2 (iLO 2) Firmware for ProLiant G6 Servers – All, when IPMI is enabled

HP writes that there is no solution to this problem. The authentication process for the IPMI 2.0 specification requires that the server sends a salted SHA1 or MD5 hash of the requested user's password to the client before authenticating the client. The BMC returns the password hash for each valid user account requested. This password hash can be broken by an offline brute force or dictionary attack.

No update, but mitigations

Since this functionality is an integral part of the IPMI 2.0 specification, there is no way to fix the problem without deviating from the IPMI 2.0 specification. HP recommends the following measures to minimize the associated risk:

  • If you do not need IPMI, deactivate it. You can disable IPMI on iLO2/3/4 using the Disable IPMI over LAN command.
  • Add the latest iLO firmware that includes the latest security patches to the products.
  • Use best practices to manage protocols and passwords on your systems and networks. Wherever possible, use secure passwords.

If you need to use IPMI, use a separate LAN management or VLAN, Access Control Lists (ACLs) or VPN to restrict and restrict access to your iLO management interfaces.

Advertising
Advertising
This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).