HPESBHF03866 rev.2 – HPE Integrated Lights-Out 3,4,5 using SSH, Remote Execution of Arbitrary Code, Local Disclosure of Sensitive Information

Release Date: 2018-10-22

Last Updated: 2018-09-13

---

Potential Security Impact: Local: Disclosure of Sensitive Information; Remote: Arbitrary Code Execution

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A security vulnerability in HPE Integrated Lights-Out (iLO) 3, 4, and 5 could be remotely exploited by an administrator to execute arbitrary code and allow Local Disclosure of Sensitive Information.

References: CVE-2018-7105 – Remote execution of arbitrary code, Local Disclosure of Sensitive Information

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

• HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers prior to v1.35
• HPE Integrated Lights-Out 4 (iLO 4) prior to v2.61
• HPE Integrated Lights-Out 3 (iLO 3) prior to v1.90

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

Reference	V3 Vector	V3 Base Score	V2 Vector	V2 Base Score
CVE-2018-7105	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	7.2	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	9.0

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

Hewlett Packard Enterprise would like to thank Le bureau Audit en Sécurité de l’ANSSI for reporting this vulnerability to [email protected]

RESOLUTION

HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 3, 4, and 5.

* iLO 5 v1.35 
* iLO 4 v2.61 
* iLO 3 v1.90 

Customers can also mitigate this vulnerability by taking one or more of the following actions:

• Disabling SSH entirely.
• Disabling serial port access entirely.
• Requiring serial port authentication.

HISTORY

• Version:1 (rev.1) – 13 September 2018 Initial release
• Version:2 (rev.2) – 22 October 2018 Revised CVSS Metrics and Scores, removed unnecessary CVE – CVE-2018-7106

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer’s patch management policy.