BlackHat gems: HP iLO 5 vulnerabilities
Each year, August arrives with promises of hot weather and cool security research talks. The DEF CON, Black Hat, and BSidesLV security conferences bring people in from all over the world to share knowledge through conversations, villages, training, and talks. There are always a number of interesting talks, and one that caught our eye was from this year’s Black Hat “briefings.” It covered vulnerabilities in the HPE iLO 5 firmware discovered by researchers Alexandre Gazet (Senior Security Engineer, Airbus), Fabien Périgaud (Reverse Engineering Team Tech Lead, Synacktiv), and Joffrey Czarny (Red Team Lead, Medallia).
HPE’s Integrated Lights-Out (iLO) logic is available in many of HPE’s server lines, including ProLiant and Gen10 series. Similar to other “lights out” management solutions such as Dell’s iDRAC and Supermicro’s IPMI boards, iLO supports out-of-band remote management of the servers where it is embedded.
Last year, these security researchers noticed that HPE had begun encrypting the iLO firmware blobs and decided to analyze the new encryption mechanism, with an eye toward surfacing security implications around this new encrypted packaging. Their talk at Black Hat, titled “HPE iLO5 Firmware Security - Go Home Cryptoprocessor, You’re Drunk!”, digs into their research methods and the vulnerabilities they discovered with iLO. It included a buffer overflow (CVE-2021-29202) that can be locally exploited to allow a privileged user of the system OS to execute code as a privileged user on the iLO itself.
In addition to these researchers’ findings, a number of other iLO 5 vulnerabilities had been reported to HPE, including XSS and CRLF injection, affecting multiple versions of iLO 5 firmware on HPE servers that include iLO logic. Ultimately, leading HPE to publish a security bulletin and a new iLO firmware version: 2.44.
While remaining true to our “unauthenticated scanning” mantra, Rumble explorers and scanners take additional steps when querying iLO assets to provide a rich set of details. Rumble provides a holistic view of each iLO asset–all without authentication–by making pre-auth queries of iLO REST endpoints that return XML-formatted details, and then combining that data with information gleaned from initiating a web login session.
You can locate iLO 5 assets in your inventory currently running vulnerable versions of iLO firmware with this pre-built query:
os:"iLO 5" and (os_version:=1.% or os_version:=2.0% or os_version:=2.1% or os_version:=2.2% or os_version:=2.3% or os_version:=2.40 or os_version:=2.41 or os_version:=2.42 or os_version:=2.43)
As always, any prebuilt queries we create are available from our Queries Library.
Additional iLO details can be found on a per-asset view via “ilo” attributes and also using your Reports page, including what kind of iLO assets are present in your environment, the server assets they are a part of, and all the versions of firmware running on those iLO assets:
There is also a specially-crafted CSV export available for iLO devices from your Inventory page, containing many details which are suitable for warranty tracking:
Additional details you’ll find in this CSV export of your iLO assets include:
- The configured Insight Remote Support server
- The health status of the module
- All active MAC addresses
- Authentication methods
You can also broaden your search to find ALL of your lights-out assets in your inventory via this query:
Use the Rumble resources we covered in this post to get faster visibility of your iLO assets and their current state. At Rumble, our goal is to build the best products for IT and security professionals through applied research. We hope that you found this post interesting and that you will try out Rumble.
September 8, 2021
Rumble 2.6: Integrate with Microsoft Azure Cloud, identify EOL assets, self-host in offline mode, and detect more protocols
What’s new with Rumble 2.6? Synchronize your Azure VM inventory with Rumble Identify assets running end-of-life OS versions Support for NFS, PPTP, and “r” services Updates to the CrowdStrike integration Install and update self-hosted Rumble in offline mode See new …Read More
August 11, 2021
Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication
Correctly identifying and categorizing network-connected systems without credentials is a tricky challenge and one of the fun parts of working at Rumble. This process of “fingerprinting” uses thousands of rules, pattern matches, and internal databases to take observed …Read More
August 3, 2021
Rumble 2.5: Identify endpoint protection agents, detect wireless & mobile Internet, and scan all your EC2 accounts
What’s new with Rumble 2.5? Identify endpoint protection agents via integrations and unauthenticated scans Fingerprint wireless and mobile Internet on Windows without authentication Better fingerprinting for Windows 10 and 11, desktop/server, secondary IPs Discover …Read More