BlackHat gems: HP iLO 5 vulnerabilities

, by Pearce Barry

Each year, August arrives with promises of hot weather and cool security research talks. The DEF CON, Black Hat, and BSidesLV security conferences bring people in from all over the world to share knowledge through conversations, villages, training, and talks. There are always a number of interesting talks, and one that caught our eye was from this year’s Black Hat “briefings.” It covered vulnerabilities in the HPE iLO 5 firmware discovered by researchers Alexandre Gazet (Senior Security Engineer, Airbus), Fabien Périgaud (Reverse Engineering Team Tech Lead, Synacktiv), and Joffrey Czarny (Red Team Lead, Medallia).

Bypassing encryption to improve iLO security

HPE’s Integrated Lights-Out (iLO) logic is available in many of HPE’s server lines, including ProLiant and Gen10 series. Similar to other “lights out” management solutions such as Dell’s iDRAC and Supermicro’s IPMI boards, iLO supports out-of-band remote management of the servers where it is embedded.

Last year, these security researchers noticed that HPE had begun encrypting the iLO firmware blobs and decided to analyze the new encryption mechanism, with an eye toward surfacing security implications around this new encrypted packaging. Their talk at Black Hat, titled “HPE iLO5 Firmware Security - Go Home Cryptoprocessor, You’re Drunk!", digs into their research methods and the vulnerabilities they discovered with iLO. It included a buffer overflow (CVE-2021-29202) that can be locally exploited to allow a privileged user of the system OS to execute code as a privileged user on the iLO itself.

In addition to these researchers' findings, a number of other iLO 5 vulnerabilities had been reported to HPE, including XSS and CRLF injection, affecting multiple versions of iLO 5 firmware on HPE servers that include iLO logic. Ultimately, leading HPE to publish a security bulletin and a new iLO firmware version: 2.44.

How to find vulnerable iLO BMCs with Rumble

While remaining true to our “unauthenticated scanning” mantra, Rumble explorers and scanners take additional steps when querying iLO assets to provide a rich set of details. Rumble provides a holistic view of each iLO asset–all without authentication–by making pre-auth queries of iLO REST endpoints that return XML-formatted details, and then combining that data with information gleaned from initiating a web login session.

You can locate iLO 5 assets in your inventory currently running vulnerable versions of iLO firmware with this pre-built query:

os:"iLO 5" and (os_version:=1.% or os_version:=2.0% or os_version:=2.1% or os_version:=2.2% or os_version:=2.3% or os_version:=2.40 or os_version:=2.41 or os_version:=2.42 or os_version:=2.43)

iLO query results for devices with vulnerable firmware

As always, any prebuilt queries we create are available from our Queries Library.

Additional iLO details can be found on a per-asset view via “ilo” attributes and also using your Reports page, including what kind of iLO assets are present in your environment, the server assets they are a part of, and all the versions of firmware running on those iLO assets:

Available iLO reports

There is also a specially-crafted CSV export available for iLO devices from your Inventory page, containing many details which are suitable for warranty tracking:

iLO export csv dropdown menu option

Additional details you’ll find in this CSV export of your iLO assets include:

  • The configured Insight Remote Support server
  • The health status of the module
  • All active MAC addresses
  • Authentication methods

You can also broaden your search to find ALL of your lights-out assets in your inventory via this query:


Shine a light on your lights-out assets

Use the Rumble resources we covered in this post to get faster visibility of your iLO assets and their current state. At Rumble, our goal is to build the best products for IT and security professionals through applied research. We hope that you found this post interesting and that you will try out Rumble.

Similar Content

May 10, 2022

Rumble 2.13: Sync assets & software from SentinelOne, track more cloud resources, view cross-organization inventory, and schedule automated reports

What’s new with Rumble 2.13? Sync asset and software inventory from SentinelOne Explore software identified through Rumble scans Track more cloud resources from AWS, Azure, and GCP Work with your asset inventory across organizations Schedule and email the …

Read More

April 5, 2022

Rumble 2.12: Generate organization reports, create scan templates, synchronize GCP, and invite external users

What’s new with Rumble 2.12? Generate Organization Overview Report for stakeholders Create scan templates to simplify scan management Synchronize your GCP virtual machines to Rumble Invite external Rumble users to your account Fingerprints and protocol updates User …

Read More

November 2, 2021

Rumble 2.8: Synchronize your VMware inventory, import Censys scan data, and run RFC 1918 scans faster

What’s new with Rumble 2.8? Integration improvements Synchronize your VMware virtual machine inventory Import external scan data from Censys Scan, search, and self-hosted improvements Discover all RFC 1918 networks, faster Customize scan schedules with more options …

Read More