topic Re: More information on iLOBleed Rootkit in Server Management - Remote Server Management

More information on iLOBleed Rootkit

steez — Thu, 06 Jan 2022 05:36:53 GMT

Hello everyone,

As you all may know an iLO security risk has been published by various sources named iLOBleed Rootkit.

Is there a KB, Advisory or any other document from HPE acknowledging the issue? What is the likelyhood of the systems to get infected? When should we receive an update for this threat and is there a CVS score for this?

Unfortunately I couldn't find any information about this threat, except for the non-HPE sources.

Re: More information on iLOBleed Rootkit

Johnmcc215 — Mon, 03 Jan 2022 21:51:01 GMT

https://securityaffairs.co/wordpress/126157/malware/ilobleed-wiper-hp-servers.html

Have been checking for an update since i read about this.

Re: More information on iLOBleed Rootkit

Johnmcc215 — Mon, 03 Jan 2022 22:24:53 GMT

Actually, seems HPE disclosed this in 2018.

https://www.techtarget.com/searchsecurity/news/252511500/Threat-actors-target-HPE-iLO-hardware-with-rootkit-attack

Re: More information on iLOBleed Rootkit

tashika92 — Tue, 04 Jan 2022 14:43:49 GMT

Is anybody got any more information about this? At the moment all I can see just copies of different articles on different websites.

It's pretty hard for an MSP to monitor customers ILO. Anybody got any tips or tricks to do this?

If you want or upgrade firmware do you need a valid warranty from HPE?

thanks

Tom

Re: More information on iLOBleed Rootkit

Torsten. — Tue, 04 Jan 2022 15:18:20 GMT

Avoid running old outdated firmware-

Keep the firmware current

https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_97f5079671c84a11ac776a92cb

Re: More information on iLOBleed Rootkit

Tired_Admin — Tue, 04 Jan 2022 20:41:58 GMT

Is the issue actually resolved in updated firmware? I cant find anything from HPE to say it is

Re: More information on iLOBleed Rootkit

Superscouser — Tue, 04 Jan 2022 21:45:46 GMT

HPESBHF03769 rev.2 - HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities

Re: More information on iLOBleed Rootkit

techin — Wed, 05 Jan 2022 05:53:08 GMT

Read this sometime back:

https://www.hpe.com/us/en/insights/articles/rise-in-attacks-exposes-neglected-firmware-security-2111.html

Re: More information on iLOBleed Rootkit

Tired_Admin — Wed, 05 Jan 2022 18:29:01 GMT

I had opened a ticket with HPE support for this and they confirmed it was patched in 2017 as a previous poster reported

Greetings from HPE!

This is regarding the above mentioned HPE case.

The rootkit named iLOBleed is based on the malware module Implant.ARM.iLOBleed discovered in the iLO firmware.

The security vulnerability affects HPE Integrated Lights-out 4 (iLO 4) and was previously disclosed and patched in 2017. HPE Integrated Lights-out 5 (iLO 5) is not affected.

Actions: HPE provided firmware updates in 2017 to resolve the HPE Integrated Lights-out vulnerability. Customers need to follow the remedial steps previously provided in 2017 to upgrade HPE Integrated Lights-out 4 (iLO4). See the security bulletin mentioned below:

This is an exploit of a vulnerability that was disclosed and patched in 2017.

For More Information: The following security bulletin published under CVE (CVE-2017-12542) provide more information and remedial steps to upgrade HPE Integrated Lights-out 4 (iLO 4).

HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf03769en_us

Re: More information on iLOBleed Rootkit

Nafisi — Fri, 14 Jan 2022 12:22:52 GMT

Hi
I'm from Amnpardaz, which found the rootkit.

I want to clarify some important points that i think if missed, you'll beleive you're safe while you are not.

1 - We've seen fully patched G7 to G9 and even G10 servers' firmware affected by these attacks, while the persistent malware (aka iLOBleed) was currently found only in iLO-4 (G8, G9).

2 - You're not safe even if you've applied the latest patches, because:

a) If your firmware is infected before you upgrade it, the malware will simulate the firmware upgrade process. You'll notice nothing wrong and think you're safe and using the latest patches, while you're not.

b) If you're lucky and have upgraded the firmware before any infections occurred, you're still at risk: HP servers allow downgrading firmware to lower vulnerable versions. So all it takes for the attacker is to downgrade, infect and upgrade it for you.

3 - There is a mechanism in G10 servers (iLO 5) to prevent downgrade. But this is not enabled by default and you have to enable it manually, which maybe you should do right now. (Older servers don't have this option, and until I missed something, there is no way to protect them that I know of)

4 - Currently there is no trusted way to "directly" verify a server's firmware. In fact, there is no way to verify it at all. For this we're publishing a tool soon.

Re: More information on iLOBleed Rootkit

Nafisi — Sat, 29 Jan 2022 06:46:18 GMT

Just wanted to say that the iLO Scanner has been published as opensource:

https://kb.amnpardaz.com/en/2022/562/what-is-ilobleed/

There, you can find a hopefully useful FAQ about iLOBleed and how to protect against it, too.