[German]Advisory for administrators of HPE Proliant servers running outdated or unpatched HPEs Integrated Lights-out versions. The Internet Storm Center (SANS ISC) warned this week that more than 20,000 HPE Proliant servers were accessible via the Internet. Wouldn't be such a problem if those servers weren't running an outdated iLO version, or hadn't patched known iLO vulnerabilities.
Advertising
HPE Proliant servers use Integrated Lights-out as software. Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration that Hewlett-Packard Enterprise is integrating into some of its servers. It connects to a network via an Ethernet port, which is present on most ProLiant servers and 300-series microservers and above.
In addition to its use for server management/maintenance, administrators also use iLO as an emergency access point to the server in the event that any overlying functions (hypervisor or operating system) fail. From a security perspective, iLO is therefore a particularly critical point, as access to all server functionality is possible via it. In the past, vulnerabilities have repeatedly been found in this software that allow servers to be taken over (see links at the end of the article).
Using an up-to-date iLO version and applying patches should therefore be a top priority. And if possible, the servers in question should also not be accessible via the Internet and, moreover, only for the administrators' group, in order to keep the attack surface low.
SANS ISC issued a warning
I came across the following tweet from SANS ISC this week that points out the problem described by Jan Kopriva. Over 20,000 HPE Proliant servers with outdated iLO versions or known iLO vulnerabilities are accessible via the Internet.
Advertising
Kopriva had recently come across the analysis of a rootkit that can nest in the iLO platform. This allowed it to interact with the infected system at a very low level. At this point, Kopriva wondered what would happen if attackers gained access to the iLO web interface and the software in question was outdated or unpatched? Then attackers would have the ability to attack the servers through these vulnerabilities in the iLO firmware. This can already be a problem in a network, for servers that are accessible via the Internet.
He then did a simple Google search for ilo proliant "local user name" "password" and came up with a lot of hits. In the second step, he then used the search engine Shodan and writes that he found over 20,000 iLO instances that use an outdated firmware or a version with known vulnerabilities and are accessible via the Internet. The details can be read in the linked article – for administrators using iLO on HPE servers, the question is whether they are up to date on patches.
Similar articles:
Critical vulnerability in HPE Integrated Lights-out 4 (iLO 4)
Vulnerability in HPE Integrated Lights-Out 3 (iLO 3)
Vulnerability in HPE Integrated Lights-out 2, 3, 4
