HPESBHF03866 rev.2 – HPE Integrated Lights-Out 3,4,5 using SSH, Remote Execution of Arbitrary Code, Local Disclosure of Sensitive Information


Release Date: 2018-10-22

Last Updated: 2018-09-13

Potential Security Impact: Local: Disclosure of Sensitive Information; Remote: Arbitrary Code Execution

Source: Hewlett Packard Enterprise, HPE Product Security Response Team


A security vulnerability in HPE Integrated Lights-Out (iLO) 3, 4, and 5 could be remotely exploited by an administrator to execute arbitrary code and allow Local Disclosure of Sensitive Information.

References: CVE-2018-7105 – Remote execution of arbitrary code, Local Disclosure of Sensitive Information

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers prior to v1.35
  • HPE Integrated Lights-Out 4 (iLO 4) prior to v2.61
  • HPE Integrated Lights-Out 3 (iLO 3) prior to v1.90


CVSS Version 3.0 and Version 2.0 Base Metrics

ReferenceV3 VectorV3 Base ScoreV2 VectorV2 Base Score

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

Hewlett Packard Enterprise would like to thank Le bureau Audit en Sécurité de l’ANSSI for reporting this vulnerability to [email protected]


HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 3, 4, and 5.

* iLO 5 v1.35 
* iLO 4 v2.61 
* iLO 3 v1.90 

Customers can also mitigate this vulnerability by taking one or more of the following actions:

  • Disabling SSH entirely.
  • Disabling serial port access entirely.
  • Requiring serial port authentication.


  • Version:1 (rev.1) – 13 September 2018 Initial release
  • Version:2 (rev.2) – 22 October 2018 Revised CVSS Metrics and Scores, removed unnecessary CVE – CVE-2018-7106

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer’s patch management policy.