Server Management - Remote Server Management

More information on iLOBleed Rootkit

 
SOLVED
Go to solution
steez
Frequent Advisor

More information on iLOBleed Rootkit

Hello everyone,

As you all may know an iLO security risk has been published by various sources named iLOBleed Rootkit.

Is there a KB, Advisory or any other document from HPE acknowledging the issue? What is the likelyhood of the systems to get infected? When should we receive an update for this threat and is there a CVS score for this?

Unfortunately I couldn't find any information about this threat, except for the non-HPE sources.

 

9 REPLIES 9
Johnmcc215
Occasional Visitor

Re: More information on iLOBleed Rootkit

https://securityaffairs.co/wordpress/126157/malware/ilobleed-wiper-hp-servers.html 

 

Have been checking for an update since i read about this. 

Johnmcc215
Occasional Visitor

Re: More information on iLOBleed Rootkit

tashika92
Occasional Visitor

Re: More information on iLOBleed Rootkit

Is anybody got any more information about this? At the moment all I can see just copies of different articles on different websites.

 It's pretty hard for an MSP to monitor customers ILO. Anybody got any tips or tricks to do this?

If you want or upgrade firmware do you need a valid warranty from HPE?  

 

thanks

Tom

Torsten.
Acclaimed Contributor

Re: More information on iLOBleed Rootkit

Avoid running old outdated firmware-

Keep the firmware current

https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_97f5079671c84a11ac776a92cb


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Tired_Admin
Occasional Visitor

Re: More information on iLOBleed Rootkit

Is the issue actually resolved in updated firmware?  I cant find anything from HPE to say it is 

Superscouser
Established Member

Re: More information on iLOBleed Rootkit

techin
Regular Advisor

Re: More information on iLOBleed Rootkit

Tired_Admin
Occasional Visitor
Solution

Re: More information on iLOBleed Rootkit

I had opened a ticket with HPE support for this and they confirmed it was patched in 2017 as a previous poster reported

Greetings from HPE!


This is regarding the above mentioned HPE case.

The rootkit named iLOBleed is based on the malware module Implant.ARM.iLOBleed discovered in the iLO firmware.

The security vulnerability affects HPE Integrated Lights-out 4 (iLO 4) and was previously disclosed and patched in 2017. HPE Integrated Lights-out 5 (iLO 5) is not affected.

Actions: HPE provided firmware updates in 2017 to resolve the HPE Integrated Lights-out vulnerability. Customers need to follow the remedial steps previously provided in 2017 to upgrade HPE Integrated Lights-out 4 (iLO4). See the security bulletin mentioned below:

This is an exploit of a vulnerability that was disclosed and patched in 2017.

For More Information: The following security bulletin published under CVE (CVE-2017-12542) provide more information and remedial steps to upgrade HPE Integrated Lights-out 4 (iLO 4).

HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf03769en_us

Nafisi
Occasional Visitor

Re: More information on iLOBleed Rootkit

Hi
I'm from Amnpardaz, which found the rootkit.

I want to clarify some important points that i think if missed, you'll beleive you're safe while you are not.

1 - We've seen fully patched G7 to G9 and even G10 servers' firmware affected by these attacks, while the persistent malware (aka iLOBleed) was currently found only in iLO-4 (G8, G9).

2 - You're not safe even if you've applied the latest patches, because:

a) If your firmware is infected before you upgrade it, the malware will simulate the firmware upgrade process. You'll notice nothing wrong and think you're safe and using the latest patches, while you're not.

b) If you're lucky and have upgraded the firmware before any infections occurred, you're still at risk: HP servers allow downgrading firmware to lower vulnerable versions. So all it takes for the attacker is to downgrade, infect and upgrade it for you.

3 - There is a mechanism in G10 servers (iLO 5) to prevent downgrade. But this is not enabled by default and you have to enable it manually, which maybe you should do right now. (Older servers don't have this option, and until I missed something, there is no way to protect them that I know of)

4 - Currently there is no trusted way to "directly" verify a server's firmware. In fact, there is no way to verify it at all. For this we're publishing a tool soon.