HPESBHF03894 rev.1 – HPE Integrated Lights-Out 5 (iLO 5) Firmware Updates, Local Bypass of Security Restrictions

98

SUPPORT COMMUNICATION – SECURITY BULLETIN

Document ID: hpesbhf03894en_us

Release Date: 2018-11-03

Last Updated: 2018-11-03


Potential Security Impact: Local: Bypass Security Restrictions

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.

References: CVE-2018-7113

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers – Prior to v1.37

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

ReferenceV3 VectorV3 Base ScoreV2 VectorV2 Base Score
CVE-2018-7113CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L6.4(AV:L/AC:L/Au:N/C:C/I:C/A:P)6.8

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

HPE would like to thank Fabien Perigaud of Synacktiv, Joffrey Czarny of Medallia, and Alexandre Gazet of the Airbus Evaluation Team for reporting this issue to [email protected]

RESOLUTION

HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 5 (iLO 5):

* Install HPE Integrated Lights-Out 5 (iLO 5) v1.37 

HISTORY 
Version:1 (rev.1) – 2 November 2018 Initial release