Want to know how easy it is to bypass authentication measures in an HPE Integrated Lights-Out 4 (iLO 4) server? Make a cURL request and then type the letter “A” 29 times.
It’s that easy. Seriously.
As noted by BleepingComputer, the vulnerability affecting these servers was found last year by a group of three security researchers, who detailed their findings in a research paper. According to the paper, the vulnerability can be exploited remotely as well.
SEE: Network security policy (Tech Pro Research)
This is what it looks like:
curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Using this exploit, someone could find cleartext user credentials, change the iLO firmware, or execute malicious code, the paper said. The vulnerability ( CVE-2017-12542) is rated a 9.8 out of 10, making it critical.
A noted by BleepingComputer, the vulnerability was discovered in early 2017 and was actually patched in August 2017. Admins can find the original HPE security bulletin here. According to the bulletin, only HP iLO 4 servers running firmware version 2.53 or earlier were affected.
“If they are not actively used, completely disabling the feature is a good practice,” the paper noted. “Otherwise, administrators should take great care to keep their systems up to date whenever possible. Network-level isolation should be put in place to ensure that iLO systems can only be accessed from dedicated administration VLANs.”
Upon compromise, wiping and reinstalling the host OS isn’t enough, the paper said. At that point, the hardware should be considered untrusted as well.
The research has recently come to light because that the team has been presenting their findings this summer. A video of one of the presentations in French can be found at the SSTIC website.
The big takeaways for tech leaders:
- A vulnerability in HPE iLO 4 servers can be exploited by typing the A key 29 times.
- HPE iLO 4 server users should patch their systems to avoid this vulnerability, which affects firmware versions 2.53 and earlier.