HPE Community
ProLiant Servers (ML,DL,SL)
1753448 Members
4952 Online
108794 Solutions
New Discussion

Re: Security issue with ILO4

 
SOLVED
Go to solution
Mauro1967
Occasional Contributor

‎07-06-2017 06:42 AM

‎07-06-2017 06:42 AM

Security issue with ILO4

Hi!

My University is scanning all the campus servers with Nessus Vulnerability Scanner and they are complaining that my ILO4 (firmware 1.10 July 17 2012) on ProLiant ML350p Gen8 HP server has a "medium" risk level of vulnerability, so they are asking to solve this issue as soon as possible, to avoid potential attacks.

I enclose the "medium" risk entries of the report: all the problems are connected with the 443/tcp port, it seems I should update the version of SSL protocol to improve cipher, encription and certificate...

Actually I do not know what to do in practice, but I am also very cautious since ILO is very useful to monitor the system and I don't want to lose functionalities.

Is anybody able to help me safely in this respect?

Thank you very much in advance!

Mauro

 

0 Kudos
Reply
4 REPLIES 4
Jimmy Vance
HPE Pro

‎07-06-2017 06:55 AM

‎07-06-2017 06:55 AM

Re: Security issue with ILO4

Update to the latest iLO4 firmware and have them scan it again.  You are running a very very old version of iLO firmware. Many securty fixes/enhancments have been added.

http://h20565.www2.hpe.com/hpsc/swd/public/readIndex?sp4ts.oid=1009143853&lang=en&cc=us  Select your OS and then exapnd the firmware tab

You can review the revision history to see the changes that have been made

 

No support by private messages. Please ask the forum! 
0 Kudos
Reply
Mauro1967
Occasional Contributor

‎07-06-2017 07:13 AM

‎07-06-2017 07:13 AM

Re: Security issue with ILO4

Dear Jimmy, thank you indeed for the quick suggestion, I will do the update.

However my Operative System is:

CentOS release 6.2 (Final)

which is not present in the list of the web page you suggested me.

Which one should I use? Actually I thought that ILO is

independent with respect to the OS, is it really important

to match the OS?

thank you again

Mauro

0 Kudos
Reply
Jimmy Vance
HPE Pro

‎07-06-2017 07:30 AM

‎07-06-2017 07:30 AM

Re: Security issue with ILO4

If your not going to update via the host OS, it is not important to match the OS. You do need to download the firmware file in a verision your client can deal with to extract the binary firmware image. You can then update the image via the web interface.   For CentOS the Red Hat file should work without issue

 

 

No support by private messages. Please ask the forum! 
0 Kudos
Reply
Mauro1967
Occasional Contributor

‎07-07-2017 05:34 AM

‎07-07-2017 05:34 AM

Solution

Re: Security issue with ILO4

Dear Jimmy,

ok, I will update to the latest iLO4 firmware first,

then I will check if the security issues will disappear (hopefully)!

Thank you again!

Mauro

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.