HPE Community
Server Management - Remote Server Management
1752815 Members
5754 Online
108789 Solutions
New Discussion

iLO 2 Qualys Vulnerability Report Remediation CVE-2011-3389 Qualys QID: 42366

 
DigitalNomadIL
Occasional Contributor

‎04-21-2015 10:36 AM

‎04-21-2015 10:36 AM

iLO 2 Qualys Vulnerability Report Remediation CVE-2011-3389 Qualys QID: 42366

Hello All,

 

I have an open ticket with HP support that hasn't moved on this issue so I'm hoping that someone may be able to offer some options.

Under heightened security, a recent scan of iLO 2's revealed a few unreasolvable vulnerabilities specifically  the SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST) port 443/tcp over SSL  and an inability to use TLS 1.2

 

So far, 

I've Flashed the ilo to the latest firmware release 2.27

Disabled ipmi

Created internal CA Certificate

Enabled AES/3DES Encryption

 

Does anyone have any insite on this or an idea of what the current recommended and or planned mitigation for this issue?


Is there a way to change CIPHER Priority? Command Line options?
Is there a way to disable all < TLS 1.1\1.2? Is the ilo even capable of 1.1\.2? are there any command line options.

 

I know that this takes security to the nth degree on these devices but that's the new world

 

Any help would be appreciated, many thanks

 

DGN

0 Kudos
Reply
1 REPLY 1
Oscar A. Perez
Honored Contributor

‎04-22-2015 06:09 AM - edited ‎04-24-2015 08:38 AM

‎04-22-2015 06:09 AM - edited ‎04-24-2015 08:38 AM

Re: iLO 2 Qualys Vulnerability Report Remediation CVE-2011-3389 Qualys QID: 42366

The fix for CVE-2011-3389 (a.k.a.  BEAST) went into iLO2 v2.12

 

Once you have installed on each of your iLOs a "trusted" SSL Certificate signed by your own Certification Authority, go to iLO2 webUI->Administration->Access->Options and ensure that the option called "SSL empty records for CBC-Mode Cipher suite" is enabled.

 

Both SSLv3 (now deprecated) and TLS 1.0 can be safely used with CBC cipher-suites once the SSL empty records fix is enabled.

 

Some port scanners falsely flag iLO2 as vulnerable to BEAST .  Try a scanner that actually does the proper BEAST test and then scan iLO2 with the SSL empty records setting enabled and disabled.

 

 

Of course, if you still have the default Self-Signed SSL Certificates in place, you have bigger problems since you are vulnerable to MITM attacks no matter what.

 

Regards,

Oscar




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.