SUPPORT COMMUNICATION – SECURITY BULLETIN
Document ID: hpesbhf03894en_us
Release Date: 2018-11-03
Last Updated: 2018-11-03
Potential Security Impact: Local: Bypass Security Restrictions
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
VULNERABILITY SUMMARY
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.
References: CVE-2018-7113
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers – Prior to v1.37
BACKGROUND
CVSS Version 3.0 and Version 2.0 Base Metrics
| Reference | V3 Vector | V3 Base Score | V2 Vector | V2 Base Score |
|---|---|---|---|---|
| CVE-2018-7113 | CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | 6.4 | (AV:L/AC:L/Au:N/C:C/I:C/A:P) | 6.8 |
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
HPE would like to thank Fabien Perigaud of Synacktiv, Joffrey Czarny of Medallia, and Alexandre Gazet of the Airbus Evaluation Team for reporting this issue to [email protected]
RESOLUTION
HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 5 (iLO 5):
* Install HPE Integrated Lights-Out 5 (iLO 5) v1.37
HISTORY
Version:1 (rev.1) – 2 November 2018 Initial release