ProLiant Servers (ML,DL,SL)
1748165 Members
4130 Online
108758 Solutions
New Discussion юеВ

Re: iLo5 default user "admin" with password "password" - what is this for? How d

 
Chris_Drake
Advisor

iLo5 default user "admin" with password "password" - what is this for? How do I change it?

So I just ran hponcfg -a -w and I see this in the output:-

   <LOGIN USER_LOGIN="admin" PASSWORD="password">

That's not my username or password (which I do correctly see in the <ADD_USER> seciton of the XML later)

What are the above credentials used for?  How do I change those?

12 REPLIES 12
Anu_K
HPE Pro

Re: iLo5 default user "admin" with password "password" - what is this for? How d

Hello,

I found the below information while going through the iLO 5 Scripting guide.

"For security reasons, the default user administrator and user passwords are not captured in the configuration file or returned in the response. A variable is provided in its place to use with the substitute optionto provide a default password for all users when restoring a configuration. Manually change the password before using the file to restore the configuration."

For more information you may refer to the HPE iLO 5 Scripting and Command Line Guide pg.27 (https://support.hpe.com/hpesc/public/docDisplay?docId=a00018323en_us)

Hope it helps!

 

Note: "While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company."

I am an HPE Employee

Accept or Kudo

Chris_Drake
Advisor

Re: iLo5 default user "admin" with password "password" - what is this for? How d

Hi - I am aware of that - and the name of the variable for passwords is " %user_password% "

Note also on the top of that same page that it explains that all variables are wrapped in % signs.

So "password" is not a variable - is the the actual password, in the clear.

Can you please find out what this is for?  I have in the past reverse-engineered firmware for a few different devices like this, and in EVERY case so far, I have ALWAYS found a back-door of this kind - from the fact that this is in the XML dump, it shows that there is almost certainly an admin endpoint that is going to provide access to anyone who stuffs those credentials in.  So - we all need to know, no guessing, no "maybe", exactly what those credentials are for.  Maybe it's a web console? or a serial port login? or a mainboard firmware I2C plug? or maybe something else - the point here is that it's stored in the iLo EEPROM for some kind of reason, and a password of "password" is NEVER secure. 

Never using simplistic hardcoded default passwrods is literally the #1 recommendation of every IoT security best-pracice guide there is.

ManBha
HPE Pro

Re: iLo5 default user "admin" with password "password" - what is this for? How d

Hello,

 

The iLO default login and password are on the server pull tab on the server.

https://support.hpe.com/hpesc/public/docDisplay?docId=sf000046874en_us&docLocale=en_US

 

Thanks.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo

Chris_Drake
Advisor

Re: iLo5 default user "admin" with password "password" - what is this for? How d

Not funny.

Since your tag says you work for HPE, how about you get in touch with your firmware team and ask them what service accepts the credentials that are dumped out from the iLo with the username "admin" and the password "password".

You know - like - EXACTLY WHAT MY QUESTION ASKED IN THE FIRST PLACE.

The whole mess smells like a wormable CVE exploit just waiting for the baddies to find out, because nobody at HPE seem to care.

mysy
Valued Contributor

Re: iLo5 default user "admin" with password "password" - what is this for? How d

have you try use it(the info you dump out) to login to your server? 

I try use those kind info to login to server, admin/password  

it doesn't work...

Easy way to break the iLO login it hard way to change the jump pin from motherboard

 

 

Chris_Drake
Advisor

Re: iLo5 default user "admin" with password "password" - what is this for? How d

Logins that I know of include:

a) The iLo web console

b) SSH

c) Serial

d) SPI/I2C onboard serail-console headers

I've tested (a) and (b) - not sure how to test (c). Do not have physical access to test (d) [my box is in a DC in another country].  You miss the point of my question though.  The iLo stores this data, so that must be the username and password for SOMETHING - the problem here is that nobody at HPE is telling us WHAT that something actually IS.  - it's not (a) or (b).

HPE - are you listenting? - WHAT ARE THOSE CREDENTIALS **FOR** ?

hunter86_bg
Frequent Advisor

Re: iLo5 default user "admin" with password "password" - what is this for? How d

Those credentials are to be replaced by the end user... If you are suspecting that HPE will put a backdoor on purpose, better change the vendor.

By the way, you can always use hydra to try and bruteforce the ilo.
Chris_Drake
Advisor

Re: iLo5 default user "admin" with password "password" - what is this for? How d

I am the end user.  The problem is that there is NO PLACE where those credentials can be replaced (see the manual page 351 I think - it lists "N/A" in the column for where we can administer those credentials).

Nobody here is even trying to address my actual question.  Why is this so hard to understand.

What are these credentials FOR ?

Nobody puts the effort into adding XML fields to save and restore credentials that have no purpose, so HOW do we find out what that PURPOSE is.

Humans make mistakes - I'm not saying this is a deliberate back door, but I *am* saying that this definitey looks like an accidental one.  "Never use default credentials" is literally the #1 rule of embedded security.  I paid $12,000 for my server - I do not appreciate the fact that nobody at HPE seems to care one iota about my security here.

KevinSpringPM
HPE Pro

Re: iLo5 default user "admin" with password "password" - what is this for? How d

So you're not actually pulling admin and password from the eeprom when you use the -w flag. When you use -w, iLO won't give you the system's user and PW and instead puts those placeholders into the XML for you so that if you want to use that XML to script changes in the future, you can add in the appropriate user and PW in those spots in order for the script to run. You can see the same type of thing in our XML example scripts https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_1cb36523d7474ac79a4a6c5d71  


I'm an HPE Product Manager

Accept or Kudo