Release Date: 2018-10-22
Last Updated: 2018-09-13
Potential Security Impact: Local: Disclosure of Sensitive Information; Remote: Arbitrary Code Execution
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
A security vulnerability in HPE Integrated Lights-Out (iLO) 3, 4, and 5 could be remotely exploited by an administrator to execute arbitrary code and allow Local Disclosure of Sensitive Information.
References: CVE-2018-7105 – Remote execution of arbitrary code, Local Disclosure of Sensitive Information
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers prior to v1.35
- HPE Integrated Lights-Out 4 (iLO 4) prior to v2.61
- HPE Integrated Lights-Out 3 (iLO 3) prior to v1.90
CVSS Version 3.0 and Version 2.0 Base Metrics
|Reference||V3 Vector||V3 Base Score||V2 Vector||V2 Base Score|
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
Hewlett Packard Enterprise would like to thank Le bureau Audit en Sécurité de l’ANSSI for reporting this vulnerability to [email protected]
HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 3, 4, and 5.
* iLO 5 v1.35
* iLO 4 v2.61
* iLO 3 v1.90
Customers can also mitigate this vulnerability by taking one or more of the following actions:
- Disabling SSH entirely.
- Disabling serial port access entirely.
- Requiring serial port authentication.
- Version:1 (rev.1) – 13 September 2018 Initial release
- Version:2 (rev.2) – 22 October 2018 Revised CVSS Metrics and Scores, removed unnecessary CVE – CVE-2018-7106
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer’s patch management policy.