A Vulnerability in HPE iLO4 Servers Could Allow for Remote Code Execution
MS-ISAC ADVISORY NUMBER:2018-075
A vulnerability has been discovered in HPE Integrated Lights-Out 4 (iLO 4) servers, which could allow for remote code execution. HPE iLO 4 is an embedded server management tool used for out-of-band management. Successful exploitation of this vulnerability could result in remote code execution or authentication bypass. Successful exploitation of the vulnerability could result in the extraction of plaintext passwords, addition of an administrator account, execution of malicious code, or replacement of iLO firmware.
This vulnerability (CVE-2017-12542) was first discovered on February 2017, with patches released in August 2017. However, additional details on the vulnerability and exploit code were recently published in multiple open-source media reports, and a Metasploit module is available, significantly increasing the risk to vulnerable systems.
- HPE iLO 4 prior to 2.54
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
A vulnerability (CVE-2017-12542) has been discovered in HPE iLO 4, which could allow for remote code execution or authentication bypass. Execution of the vulnerability requires an attacker to cURL to the affected server, followed by 29 “A” characters. Successful exploitation of the vulnerability could result in the extraction of plaintext passwords, addition of an administrator account, execution of malicious code, or replacement of iLO firmware.
We recommend the following actions be taken:
- Verify no unauthorized system modifications have occurred on system before applying patch.
- Apply appropriate updates provided by HPE to vulnerable systems, immediately after appropriate testing.
- Restrict inbound access to only authorized IP addresses, machines, and/or users.