ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

pablo808
Occasional Collector

iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

I have a set of HP DL380p G8 servers with iLO 4.

 

The Nessus security scanners are picking up a high vulnerability on the iLO IP's with the latest firmware v1.51 (23 June 2014) installed

 

OpenSSL 'ChangeCipherSpec' MiTM Vulnerability on TCP/443

CVE-2014-0224

https://www.openssl.org/news/secadv_20140605.txt

 

When can we expect an updated firmware to be released to address this?

 

Thanks.

 

4 REPLIES
Fer_HP
Occasional Visitor

Re: iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

I am having the same problem but I cannot fin any update on the HP website regarding this.

 

I guess we'll need to wait for HP to release a new firmware for iLO4.

 

Btw, I am running 1.51 too.

 

Oscar A. Perez
Honored Contributor

Re: iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

Quick question.

 

Do your iLOs have the self-signed SSL certificate that iLO automatically creates or you have replaced the self-signed certs with your own 'valid' SSL certificates?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Fer_HP
Occasional Visitor

Re: iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

I have  the self-signed SSL certificate that iLO creates by default.

Oscar A. Perez
Honored Contributor

Re: iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

If you have the default self-signed SSL certificate then, you are vulnerable to MiTM attacks no matter what.  

 

So, if you are really into securing your environment, please get those self-signed SSL certificates replaced with SSL certificates signed by your own trusted Certification Authority and also instruct all your users to not ignore Browsers warnings about "untrusted certificates" when login into your iLOs.

 

 

About the CCS Injection vulnerability. Most security scanners are doing a poor job detecting it and this is causing lots of false positives out there, just like in this iLO4 case.  

The scanner is expecting that the SSL server will always send out a SSL alert when an early Change Cipher Spec is received but, some SSL libraries (like the one used in iLO4) would just silently drop the early Change Cipher Spec message and never send out an alert.  

The RFC5246 is not clear about what to do with early Change Cipher Spec messages so, it's been up the each SSL implementation out there to decide what to do with early CCS.

 

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!