HPE Community
HPE SimpliVity
1752793 Members
5871 Online
108789 Solutions
New Discussion

New iLO 4 and iLO 5 firmware for security vulnerabilities

 
Kipp_Glover
HPE Pro

‎05-19-2021 06:05 AM - last edited on ‎06-24-2021 07:18 AM by

‎05-19-2021 06:05 AM - last edited on ‎06-24-2021 07:18 AM by

New iLO 4 and iLO 5 firmware for security vulnerabilities

Good day all!   Just yesterday (May 18, 2021) a SimpliVity Security Bulletin was released.  There is new iLO 4 and iLO 5 firmware (2.78 and 2.44) to address multiple remote and local vulnerabilities. 

VULNERABILITY SUMMARY

Multiple potential security vulnerabilities have been identified in HPE Integrated Lights-Out 5 (iLO 5) and HPE Integrated Lights-Out 4 (iLO 4). The vulnerabilities are XSS, CR-LF injection, DOM XSS and several buffer overflow vulnerabilities. The XSS, CR-LF injection and DOM XSS are against authenticated privileged iLO users of the ILO web interface. The iLO buffer overflow vulnerabilities can be exploited by a privileged user on a host OS to run code on the iLO as a privileged user.

For details and resolution, please refer to the security bulletin:  https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04134en_us  

The iLO firmware can be applied on top of 4.1.0, 4.0.1 U1 & 3.710 U1 OmniStack Versions.

Cheers!
/Kipp

I work for HPE
Reply
5 REPLIES 5
Mohsina_4
HPE Pro

‎05-20-2021 05:54 AM

‎05-20-2021 05:54 AM

Re: New iLO 4 and iLO 5 firmware for security vulnerabilities

Hi @Kipp_Glover ,

Thank you so much for posting this information and I am sure this would be of great use to our customers.

Regards,

Mohsina

Accept or Kudo

0 Kudos
Reply
EricLeonard
Occasional Contributor

‎12-24-2021 06:11 AM

‎12-24-2021 06:11 AM

Re: New iLO 4 and iLO 5 firmware for security vulnerabilities

Hello

Still no news about the CVE-2021-44228 mitigation and its compatibility with Simplivity... 

10 working days have passed, and still awaiting a post on Simplivity regarding the issues.

Only reference found is that SVT 325 G10 is not affected... 

 

Rgds,

Eric

Any sufficiently advanced bug is indistinguishable from a feature.
0 Kudos
Reply
B0ris
Frequent Advisor

‎01-02-2022 11:32 PM

‎01-02-2022 11:32 PM

Re: New iLO 4 and iLO 5 firmware for security vulnerabilities

Does @HPE have any informations about the new ILO rootkit attack vulnerability ?

https://www.techtarget.com/searchsecurity/news/252511500/Threat-actors-target-HPE-iLO-hardware-with-rootkit-attack

 

0 Kudos
Reply
B0ris
Frequent Advisor

‎01-14-2022 01:31 AM

‎01-14-2022 01:31 AM

Re: New iLO 4 and iLO 5 firmware for security vulnerabilities

I have found response from HPE in another topic:

 

Greetings from HPE!


This is regarding the above mentioned HPE case.

The rootkit named iLOBleed is based on the malware module Implant.ARM.iLOBleed discovered in the iLO firmware.

The security vulnerability affects HPE Integrated Lights-out 4 (iLO 4) and was previously disclosed and patched in 2017. HPE Integrated Lights-out 5 (iLO 5) is not affected.

Actions: HPE provided firmware updates in 2017 to resolve the HPE Integrated Lights-out vulnerability. Customers need to follow the remedial steps previously provided in 2017 to upgrade HPE Integrated Lights-out 4 (iLO4). See the security bulletin mentioned below:

This is an exploit of a vulnerability that was disclosed and patched in 2017.

For More Information: The following security bulletin published under CVE (CVE-2017-12542) provide more information and remedial steps to upgrade HPE Integrated Lights-out 4 (iLO 4).

HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf03769en_us

0 Kudos
Reply
MikeSeden
HPE Pro

‎02-18-2022 05:21 AM

‎02-18-2022 05:21 AM

Re: New iLO 4 and iLO 5 firmware for security vulnerabilities

To add to B0ris' post, the firmware for the ilo is available in the support portal. Just sign in to your account and click on my software.


While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.