HPESBHF03866 rev.2 – HPE Integrated Lights-Out 3,4,5 using SSH, Remote Execution of Arbitrary Code, Local Disclosure of Sensitive Information

By
Stefano Mereghetti
-
0
1060

Release Date: 2018-10-22

Last Updated: 2018-09-13

Potential Security Impact: Local: Disclosure of Sensitive Information; Remote: Arbitrary Code Execution

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A security vulnerability in HPE Integrated Lights-Out (iLO) 3, 4, and 5 could be remotely exploited by an administrator to execute arbitrary code and allow Local Disclosure of Sensitive Information.

References: CVE-2018-7105 – Remote execution of arbitrary code, Local Disclosure of Sensitive Information

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers prior to v1.35
  • HPE Integrated Lights-Out 4 (iLO 4) prior to v2.61
  • HPE Integrated Lights-Out 3 (iLO 3) prior to v1.90

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

ReferenceV3 VectorV3 Base ScoreV2 VectorV2 Base Score
CVE-2018-7105CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2(AV:N/AC:L/Au:S/C:C/I:C/A:C)9.0

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

Hewlett Packard Enterprise would like to thank Le bureau Audit en Sécurité de l’ANSSI for reporting this vulnerability to [email protected]

RESOLUTION

HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 3, 4, and 5.

* iLO 5 v1.35 
* iLO 4 v2.61 
* iLO 3 v1.90 

Customers can also mitigate this vulnerability by taking one or more of the following actions:

  • Disabling SSH entirely.
  • Disabling serial port access entirely.
  • Requiring serial port authentication.

HISTORY

  • Version:1 (rev.1) – 13 September 2018 Initial release
  • Version:2 (rev.2) – 22 October 2018 Revised CVSS Metrics and Scores, removed unnecessary CVE – CVE-2018-7106

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer’s patch management policy.

RELATED ARTICLESMORE FROM AUTHOR