Home Patch HPE HPESBHF03866 rev.2 – HPE Integrated Lights-Out 3,4,5 using SSH, Remote Execution of...

HPESBHF03866 rev.2 – HPE Integrated Lights-Out 3,4,5 using SSH, Remote Execution of Arbitrary Code, Local Disclosure of Sensitive Information

Stefano Mereghetti

25 Ottobre 2018

771

Release Date: 2018-10-22

Last Updated: 2018-09-13

Potential Security Impact: Local: Disclosure of Sensitive Information; Remote: Arbitrary Code Execution

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A security vulnerability in HPE Integrated Lights-Out (iLO) 3, 4, and 5 could be remotely exploited by an administrator to execute arbitrary code and allow Local Disclosure of Sensitive Information.

References: CVE-2018-7105 – Remote execution of arbitrary code, Local Disclosure of Sensitive Information

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers prior to v1.35
HPE Integrated Lights-Out 4 (iLO 4) prior to v2.61
HPE Integrated Lights-Out 3 (iLO 3) prior to v1.90

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

Reference	V3 Vector	V3 Base Score	V2 Vector	V2 Base Score
CVE-2018-7105	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	7.2	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	9.0

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

Hewlett Packard Enterprise would like to thank Le bureau Audit en Sécurité de l’ANSSI for reporting this vulnerability to [email protected]

RESOLUTION

HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 3, 4, and 5.

* iLO 5 v1.35
* iLO 4 v2.61
* iLO 3 v1.90

Customers can also mitigate this vulnerability by taking one or more of the following actions:

Disabling SSH entirely.
Disabling serial port access entirely.
Requiring serial port authentication.

HISTORY

Version:1 (rev.1) – 13 September 2018 Initial release
Version:2 (rev.2) – 22 October 2018 Revised CVSS Metrics and Scores, removed unnecessary CVE – CVE-2018-7106

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer’s patch management policy.

Cookie	Durata	Descrizione
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.