- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Remote Server Management
- >
- Re: More information on iLOBleed Rootkit
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2022 02:28 AM - last edited on 01-05-2022 09:36 PM by support_s
01-03-2022 02:28 AM - last edited on 01-05-2022 09:36 PM by support_s
Hello everyone,
As you all may know an iLO security risk has been published by various sources named iLOBleed Rootkit.
Is there a KB, Advisory or any other document from HPE acknowledging the issue? What is the likelyhood of the systems to get infected? When should we receive an update for this threat and is there a CVS score for this?
Unfortunately I couldn't find any information about this threat, except for the non-HPE sources.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2022 01:07 PM - edited 01-03-2022 01:51 PM
01-03-2022 01:07 PM - edited 01-03-2022 01:51 PM
Re: More information on iLOBleed Rootkit
https://securityaffairs.co/wordpress/126157/malware/ilobleed-wiper-hp-servers.html
Have been checking for an update since i read about this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2022 02:24 PM
01-03-2022 02:24 PM
Re: More information on iLOBleed Rootkit
Actually, seems HPE disclosed this in 2018.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2022 06:43 AM
01-04-2022 06:43 AM
Re: More information on iLOBleed Rootkit
Is anybody got any more information about this? At the moment all I can see just copies of different articles on different websites.
It's pretty hard for an MSP to monitor customers ILO. Anybody got any tips or tricks to do this?
If you want or upgrade firmware do you need a valid warranty from HPE?
thanks
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2022 07:18 AM
01-04-2022 07:18 AM
Re: More information on iLOBleed Rootkit
Avoid running old outdated firmware-
Keep the firmware current
https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_97f5079671c84a11ac776a92cb
Hope this helps!
Regards
Torsten.
__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2022 12:41 PM
01-04-2022 12:41 PM
Re: More information on iLOBleed Rootkit
Is the issue actually resolved in updated firmware? I cant find anything from HPE to say it is
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2022 01:45 PM
01-04-2022 01:45 PM
Re: More information on iLOBleed Rootkit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2022 09:53 PM
01-04-2022 09:53 PM
Re: More information on iLOBleed Rootkit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 10:29 AM
01-05-2022 10:29 AM
SolutionI had opened a ticket with HPE support for this and they confirmed it was patched in 2017 as a previous poster reported
Greetings from HPE!
This is regarding the above mentioned HPE case.
The rootkit named iLOBleed is based on the malware module Implant.ARM.iLOBleed discovered in the iLO firmware.
The security vulnerability affects HPE Integrated Lights-out 4 (iLO 4) and was previously disclosed and patched in 2017. HPE Integrated Lights-out 5 (iLO 5) is not affected.
Actions: HPE provided firmware updates in 2017 to resolve the HPE Integrated Lights-out vulnerability. Customers need to follow the remedial steps previously provided in 2017 to upgrade HPE Integrated Lights-out 4 (iLO4). See the security bulletin mentioned below:
This is an exploit of a vulnerability that was disclosed and patched in 2017.
For More Information: The following security bulletin published under CVE (CVE-2017-12542) provide more information and remedial steps to upgrade HPE Integrated Lights-out 4 (iLO 4).
HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf03769en_us
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 04:22 AM
01-14-2022 04:22 AM
Re: More information on iLOBleed Rootkit
Hi
I'm from Amnpardaz, which found the rootkit.
I want to clarify some important points that i think if missed, you'll beleive you're safe while you are not.
1 - We've seen fully patched G7 to G9 and even G10 servers' firmware affected by these attacks, while the persistent malware (aka iLOBleed) was currently found only in iLO-4 (G8, G9).
2 - You're not safe even if you've applied the latest patches, because:
a) If your firmware is infected before you upgrade it, the malware will simulate the firmware upgrade process. You'll notice nothing wrong and think you're safe and using the latest patches, while you're not.
b) If you're lucky and have upgraded the firmware before any infections occurred, you're still at risk: HP servers allow downgrading firmware to lower vulnerable versions. So all it takes for the attacker is to downgrade, infect and upgrade it for you.
3 - There is a mechanism in G10 servers (iLO 5) to prevent downgrade. But this is not enabled by default and you have to enable it manually, which maybe you should do right now. (Older servers don't have this option, and until I missed something, there is no way to protect them that I know of)
4 - Currently there is no trusted way to "directly" verify a server's firmware. In fact, there is no way to verify it at all. For this we're publishing a tool soon.