A Vulnerability in HPE iLO4 Servers Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2018-075

DATE(S) ISSUED:

07/06/2018

OVERVIEW:

A vulnerability has been discovered in HPE Integrated Lights-Out 4 (iLO 4) servers, which could allow for remote code execution. HPE iLO 4 is an embedded server management tool used for out-of-band management. Successful exploitation of this vulnerability could result in remote code execution or authentication bypass. Successful exploitation of the vulnerability could result in the extraction of plaintext passwords, addition of an administrator account, execution of malicious code, or replacement of iLO firmware.

THREAT INTELLIGENCE:

This vulnerability (CVE-2017-12542) was first discovered on February 2017, with patches released in August 2017. However, additional details on the vulnerability and exploit code were recently published in multiple open-source media reports, and a Metasploit module is available, significantly increasing the risk to vulnerable systems.

SYSTEMS AFFECTED:

• HPE iLO 4 prior to 2.54

RISK:

TECHNICAL SUMMARY:

A vulnerability (CVE-2017-12542) has been discovered in HPE iLO 4, which could allow for remote code execution or authentication bypass. Execution of the vulnerability requires an attacker to cURL to the affected server, followed by 29 “A” characters. Successful exploitation of the vulnerability could result in the extraction of plaintext passwords, addition of an administrator account, execution of malicious code, or replacement of iLO firmware.

RECOMENDATIONS:

We recommend the following actions be taken:

• Verify no unauthorized system modifications have occurred on system before applying patch.
• Apply appropriate updates provided by HPE to vulnerable systems, immediately after appropriate testing.
• Restrict inbound access to only authorized IP addresses, machines, and/or users.

REFERENCES: