Security update for HPE Integrated Lights-Out (iLO)

Sicherheit (Pexels, allgemeine Nutzung)[German]Note for administrators of HPE Proliant servers running HPE's Integrated Lights-out versions. HPE has already published a security bulleting for HPE Integrated Lights-Out 5 (iLO 5) at the end of July 2022, which pointed out several critical vulnerabilities. There is an update available for iLO 5.0, which should be installed promptly (but presumably the information has long since reached you).


Advertising

On HPE Proliant servers, Integrated Lights-out is used as software. Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration and is integrated by Hewlett-Packard Enterprise into some of their servers. It connects to a network via an Ethernet port, which is present on most ProLiant servers and 300-series microservers and above. However, the software repeatedly attracts attention due to serious vulnerabilities and the patch status is also not always optimal (see Over 20,000 HPE Proliant servers with outdated iLO accessible via the Internet).

In Security Bulletin HPESBHF04333 rev.1 – HPE Integrated Lights-Out 5 (iLO 5), Multiple Vulnerabilities  dated 7/28/2022 (revision on 7/29), HPE points out serious vulnerabilities (Local: Arbitrary Code Execution, Denial of Service (DoS), Disclosure of Sensitive Information, Unauthorized Data Modification) in Lights-Out 5.0 (iLO). It states:

Multiple local and adjacent security vulnerabilities have been identified in HPE Integrated Lights-Out 5 (iLO 5) firmware. Exploitation of these vulnerabilities could potentially lead to execution of arbitrary code, denial of service (DoS), disclosure of confidential information, and unauthorized modification of data, resulting in loss of confidentiality, integrity, and availability.

Here is the list of vulnerabilities:

  • CVE-2022-28626 – Local Arbitrary Code Execution
  • CVE-2022-28627 – Local Arbitrary Code Execution
  • CVE-2022-28628 – Local Arbitrary Code Execution
  • CVE-2022-28629 – Local Arbitrary Code Execution
  • CVE-2022-28630 – Local Arbitrary Code Execution
  • CVE-2022-28631 – Adjacent Arbitrary Code Execution; Denial of Service (DoS)
  • CVE-2022-28632 – Adjacent Arbitrary Code Execution; Denial of Service (DoS)
  • CVE-2022-28633 – Local Disclosure of Sensitive Information; Local Unauthorized Data Modification
  • CVE-2022-28634 – Local Arbitrary Code Execution
  • CVE-2022-28635 – Local Arbitrary Code Execution; Denial of Service (DoS)
  • CVE-2022-28636 – Local Arbitrary Code Execution; Denial of Service (DoS)

The following iLO versions are affected:

  • HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers – Prior to 2.71
  • HPE Apollo 2000 Gen10 Plus System – Prior to 2.71
  • HPE Apollo 4200 Gen10 Plus System – Prior to 2.71
  • HPE Apollo 4200 Gen10 Server – Prior to 2.71 – HPE ProLiant XL420 Gen10 Server
  • HPE Apollo 4510 Gen10 System – Prior to 2.71
  • HPE Apollo 6500 Gen10 Plus System – Prior to 2.71
  • HPE Apollo 6500 Gen10 System – Prior to 2.71
  • HPE Apollo n2600 Gen10 Plus – Prior to 2.71
  • HPE Apollo n2800 Gen10 Plus – Prior to 2.71
  • HPE Apollo r2000 Chassis – Prior to 2.71 – HPE Apollo r2800 Gen10 , r2600 Gen10, r2800 Gen10
  • HPE Edgeline e920 Server Blade – Prior to 2.71
  • HPE Edgeline e920d Server Blade – Prior to 2.71
  • HPE Edgeline e920t Server Blade – Prior to 2.71
  • HPE ProLiant DL20 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant BL460c Gen10 Server Blade – Prior to 2.71
  • HPE ProLiant DL20 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL110 Gen10 Plus Telco server – Prior to 2.71
  • HPE ProLiant DL120 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL160 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL180 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL325 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DL325 Gen10 Plus v2 server – Prior to 2.71
  • HPE ProLiant DL325 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL345 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DL360 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DL360 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL365 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DL380 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DL380 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL385 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DL385 Gen10 Plus v2 server – Prior to 2.71
  • HPE ProLiant DL385 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL560 Gen10 Server – Prior to 2.71
  • HPE ProLiant DL580 Gen10 Server – Prior to 2.71
  • HPE ProLiant DX170r Gen10 server – Prior to 2.71
  • HPE ProLiant DX190r Gen10 server – Prior to 2.71
  • HPE ProLiant DX220n Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DX325 Gen10 Plus v2 server – Prior to 2.71
  • HPE ProLiant DX360 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DX360 Gen10 server – Prior to 2.71
  • HPE ProLiant DX380 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DX380 Gen10 server – Prior to 2.71
  • HPE ProLiant DX385 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant DX385 Gen10 Plus v2 server – Prior to 2.71
  • HPE ProLiant DX4200 Gen10 server – Prior to 2.71
  • HPE ProLiant DX560 Gen10 server – Prior to 2.71
  • HPE ProLiant e910 Server Blade – Prior to 2.71
  • HPE ProLiant e910t Server Blade – Prior to 2.71
  • HPE ProLiant m750 Server Blade – Prior to 2.71
  • HPE ProLiant MicroServer Gen10 Plus – Prior to 2.71
  • HPE ProLiant ML30 Gen10 Plus server – Prior to 2.71
  • HPE ProLiant ML30 Gen10 Server – Prior to 2.71
  • HPE ProLiant ML110 Gen10 Server – Prior to 2.71
  • HPE ProLiant ML350 Gen10 Server – Prior to 2.71
  • HPE ProLiant XL170r Gen10 Server – Prior to 2.71
  • HPE ProLiant XL190r Gen10 Server – Prior to 2.71
  • HPE ProLiant XL220n Gen10 Plus Server – Prior to 2.71
  • HPE ProLiant XL225n Gen10 Plus 1U Node – Prior to 2.71
  • HPE ProLiant XL230k Gen10 Server – Prior to 2.71
  • HPE ProLiant XL270d Gen10 Server – Prior to 2.71
  • HPE ProLiant XL290n Gen10 Plus Server – Prior to 2.71
  • HPE ProLiant XL450 Gen10 Server – Prior to 2.71
  • HPE ProLiant XL645d Gen10 Plus Server – Prior to 2.71
  • HPE ProLiant XL675d Gen10 Plus Server – Prior to 2.71
  • HPE ProLiant XL925g Gen10 Plus 1U 4-node Configure-to-order Server – Prior to 2.71
  • HPE Storage File Controller – Prior to 2.71
  • HPE Storage Performance File Controller – Prior to 2.71
  • HPE StoreEasy 1460 Storage – Prior to 2.71
  • HPE StoreEasy 1560 Storage – Prior to 2.71
  • HPE StoreEasy 1660 Expanded Storage – Prior to 2.71
  • HPE StoreEasy 1660 Performance Storage – Prior to 2.71
  • HPE StoreEasy 1660 Storage – Prior to 2.71
  • HPE StoreEasy 1860 Performance Storage – Prior to 2.71
  • HPE StoreEasy 1860 Storage – Prior to 2.71

With HPE Integrated Lights-Out 5 (iLO 5) version 2.71 of higher the vulnerabilities should be fixed – the updates are available in the Hewlett Packard Enterprise Support Center.


Advertising


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Software, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *