topic Re: iLO 4 Ripple20 in Server Management - Remote Server Management

iLO 4 Ripple20

shenanigans — Wed, 05 Aug 2020 11:03:41 GMT

Currently HP lists iLO 2 and 5 on this Ripple20 page but iLO 4 is not listed. is HP developing a patch for Ripple 20 for iLO 4 devices. (HP Gen 8 and Gen9 servers in our case)

https://techhub.hpe.com/eginfolib/securityalerts/Ripple20/Ripple20.html

Re: iLO 4 Ripple20

MissionCritical — Wed, 05 Aug 2020 17:18:45 GMT

Our team was wondering this as well. We have a bunch of iLo 3 and 4's showing up on our vulnerability reports, yet on the page you sent, they are not listed. Does anyone know if HPE is working on updating these versions of iLo as well ?

Re: iLO 4 Ripple20

rwagenmann — Wed, 05 Aug 2020 23:25:49 GMT

I reached out to HPE Support who sent me to HPE Cyber Security who sent me to the HPE Product Security Response Team. They reported the following:

HPE product engineering teams are still in the process of evaluating Ripple20 product impacts, and implementing and testing patches for impacted products. HPE will not disclose impacted products until patches are available for them. HPE PSRT will issue or revise security bulletins and update the Security Vulnerability Alerts Ripple20 web page for impacted products when those patches become available.

It looks like it may be impacted, but HPE hasn't released a fix for it so they won't confirm it. If you look more into the Nessus scan results, you will see that it's only reporting that the Treck stack was found on that device, but not that it was vulnerable. Tenable has a blog post online that they will be releasing plugins for the individual vulnerabilities as they develop them. You can see the list of vulnerabilities using this plugin search. Right now, only 137702 is shown which just detects the stack, but the others should show up over time.

Re: iLO 4 Ripple20

shenanigans — Wed, 05 Aug 2020 23:35:36 GMT

thank you for reaching out to support on our behalf. we will be watching the page for sure.

Re: iLO 4 Ripple20

Ravi2019 — Thu, 06 Aug 2020 09:27:37 GMT

Hello sir,

iLO 4 security feature Ripple20 is need to modify with firmware or write a protactive feature.

furtht to get the support on the ILO 4 ecureity fueature, kindly reach to HPE security support team.

HPE Integrated Lights Out (iLO 4) - Document List

https://internal.support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00043732en_us

HPE PRODUCT SECURITY PRACTICES

https://www.hpe.com/in/en/services/security-vulnerability.html

Thank you

Ravi swamy

Re: iLO 4 Ripple20

rwagenmann — Thu, 06 Aug 2020 14:49:18 GMT

Ravi2019,

I contacted HPE support and no firmware or confirmation of the vulnerability is available. They did confirm they are still reviewing some products and won't make any statements until a patch is available. The latest ILO 4 firmware is 4.73 which was released before the Ripple20 vulnerabilities were publicized.

Re: iLO 4 Ripple20

Raviswamy — Fri, 07 Aug 2020 17:04:30 GMT

Hello Sir,

thanks for your update.

As the iLO security feature is not available, further to isolate and fix the security feature what I suggest log a support case with HPE.

Regards

Ravi swamy

Re: iLO 4 Ripple20

rwagenmann — Tue, 11 Aug 2020 15:09:38 GMT

Raviswamy,

As stated in my last reply, I did submit a support case. They said what I included in my replay to shenanigans above.

Re: iLO 4 Ripple20

rwagenmann — Tue, 18 Aug 2020 21:23:33 GMT

The HPE Product Security Team just notified me that HPE has confirmed the vulnerability with ILO 4 and released firmware 2.75 to fix it. You can download the latest firmware from the HPE Support Center.