- HP ILO 4 ERROR RETRIEVING KEY HOW TO
- HP ILO 4 ERROR RETRIEVING KEY INSTALL
- HP ILO 4 ERROR RETRIEVING KEY UPGRADE
- HP ILO 4 ERROR RETRIEVING KEY FULL
- HP ILO 4 ERROR RETRIEVING KEY PRO
Heap buffer overflow in HTTP headers processing (CVE-2017-12542)
HP ILO 4 ERROR RETRIEVING KEY PRO
A quick Shodan indicates that some iLO interfaces are even directly connected to the Internet.Īfter a few hours of reverse enginnering to understand the memory layout and the various embedded libraries, the webserv binary can be correctly loaded in IDA Pro and analyzed. The most interesting target to look at is the webserver, which is very often exposed to the LAN, even if HP recommends to connect the iLO administration interface to a dedicated administration network. Fortunately, the firmware is signed, but not encrypted, meaning that we can start looking for vulnerabilities without having to desolder the flash chip! It is usually distributed as a PE file containing a big binary file which is sent to the iLO. ILO firmware can be directly downloaded from HP website.
Interestingly, the iLO runs even if the server is turned off, and is directly connected to the main PCI-express bus.Īll its features and its crucial position in the server hardware makes iLO a really juicy target from an attacker's point of view. On the software side, the operating system is the proprietary RTOS GreenHills Integrity. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network interface. Regarding the technical aspects, iLO 4 runs on a dedicated ARM micro-processor embedded in the server, and is totally independant from the main processor. All these interfaces represent a huge attack surface for a critical, embedded component.
Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators.Īll these features can be accessed using the IPMI protocol, but also through various interfaces such as SSH, HTTPS, SNMP, and XML / JSON APIs. It provides every feature required by a system administrator to remotely administer a server without having to reach it physically. ILO is the server management solution embedded in almost every HP server for more than 10 years.
HP ILO 4 ERROR RETRIEVING KEY FULL
We plan to release the full details of our study in an upcoming conference, stay tuned! Introduction We thus decided to give some details so that HP iLO administrators could understand the impacts and protect their servers. Now that a security bulletin and a fixed firmware have been released by HP (4 months ago), there is a significant risk that the vulnerability has been found by people doing binary diffing between two versions of the firmware. The PoC exploits for the flaw are available at the following URLs:Ī Metasploit module for the flaw is available here.This vulnerability has been found during a security study of HP iLO performed by Alexandre Gazet from Airbus and Fabien Perigaud. The experts presented their findings at some security conferences, including the ReCon Brussels ( Slides, research paper ) and SSTIC 2018. The flaw affects HP iLO 4 servers running firmware version prior to 2.53.
HP ILO 4 ERROR RETRIEVING KEY UPGRADE
The good news is that HP addressed the flaw in August 2017 with the release of the iLO 4 firmware version 2.54, for this reason, system administrators need to upgrade their servers.
HP ILO 4 ERROR RETRIEVING KEY HOW TO
In the following images, the experts demonstrate how to bypass iLO authentication, in this case how to retrieve a local user’s password in cleartext. The experts discovered that it is possible to exploit issue by using a cURL request and 29 letter “A” characters: curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" The flaw could be exploited by a remote authenticated attack to access to HP iLO consoles, extract cleartext passwords, execute malware, and even replace iLO firmware. The flaw was discovered by three security researchers (Fabien Périgaud from Synacktiv, Alexandre Gazet from Airbus, and the independent security researcher Joffrey Czarny) last year and potentially expose any iLO servers exposed online at risk.
HP ILO 4 ERROR RETRIEVING KEY INSTALL
ILO cards allow administrators to perform a broad range of management activities in a company network, including to install firmware remotely and provide access to a remote console. The physical connection is an Ethernet port that can be found on most Proliant servers and microservers of the 300 and above series.” reads Wikipedia. “Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard which provides out-of-band management facilities.
0 kommentar(er)
