Release Date: 2018-10-22
Last Updated: 2018-09-13
Potential Security Impact: Local: Disclosure of Sensitive Information; Remote: Arbitrary Code Execution
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
VULNERABILITY SUMMARY
A security vulnerability in HPE Integrated Lights-Out (iLO) 3, 4, and 5 could be remotely exploited by an administrator to execute arbitrary code and allow Local Disclosure of Sensitive Information.
References: CVE-2018-7105 – Remote execution of arbitrary code, Local Disclosure of Sensitive Information
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers prior to v1.35
- HPE Integrated Lights-Out 4 (iLO 4) prior to v2.61
- HPE Integrated Lights-Out 3 (iLO 3) prior to v1.90
BACKGROUND
CVSS Version 3.0 and Version 2.0 Base Metrics
| Reference | V3 Vector | V3 Base Score | V2 Vector | V2 Base Score |
|---|---|---|---|---|
| CVE-2018-7105 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | 9.0 |
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
Hewlett Packard Enterprise would like to thank Le bureau Audit en Sécurité de l’ANSSI for reporting this vulnerability to [email protected]
RESOLUTION
HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 3, 4, and 5.
* iLO 5 v1.35
* iLO 4 v2.61
* iLO 3 v1.90
Customers can also mitigate this vulnerability by taking one or more of the following actions:
- Disabling SSH entirely.
- Disabling serial port access entirely.
- Requiring serial port authentication.
HISTORY
- Version:1 (rev.1) – 13 September 2018 Initial release
- Version:2 (rev.2) – 22 October 2018 Revised CVSS Metrics and Scores, removed unnecessary CVE – CVE-2018-7106
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer’s patch management policy.
