Re: More information on iLOBleed Rootkit

steez · ‎01-03-2022

Hello everyone,

As you all may know an iLO security risk has been published by various sources named iLOBleed Rootkit.

Is there a KB, Advisory or any other document from HPE acknowledging the issue? What is the likelyhood of the systems to get infected? When should we receive an update for this threat and is there a CVS score for this?

Unfortunately I couldn't find any information about this threat, except for the non-HPE sources.

Johnmcc215 · ‎01-03-2022

https://securityaffairs.co/wordpress/126157/malware/ilobleed-wiper-hp-servers.html

Have been checking for an update since i read about this.

Johnmcc215 · ‎01-03-2022

Actually, seems HPE disclosed this in 2018.

https://www.techtarget.com/searchsecurity/news/252511500/Threat-actors-target-HPE-iLO-hardware-with-rootkit-attack

tashika92 · ‎01-04-2022

Is anybody got any more information about this? At the moment all I can see just copies of different articles on different websites.

It's pretty hard for an MSP to monitor customers ILO. Anybody got any tips or tricks to do this?

If you want or upgrade firmware do you need a valid warranty from HPE?

thanks

Tom

Torsten. · ‎01-04-2022

Avoid running old outdated firmware-

Keep the firmware current

https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_97f5079671c84a11ac776a92cb

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Tired_Admin · ‎01-04-2022

Is the issue actually resolved in updated firmware? I cant find anything from HPE to say it is

Superscouser · ‎01-04-2022

HPESBHF03769 rev.2 - HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities

David J Pierce

techin · ‎01-04-2022

Read this sometime back:

https://www.hpe.com/us/en/insights/articles/rise-in-attacks-exposes-neglected-firmware-security-2111.html

Tired_Admin · ‎01-05-2022

I had opened a ticket with HPE support for this and they confirmed it was patched in 2017 as a previous poster reported

Greetings from HPE!

This is regarding the above mentioned HPE case.

The rootkit named iLOBleed is based on the malware module Implant.ARM.iLOBleed discovered in the iLO firmware.

The security vulnerability affects HPE Integrated Lights-out 4 (iLO 4) and was previously disclosed and patched in 2017. HPE Integrated Lights-out 5 (iLO 5) is not affected.

Actions: HPE provided firmware updates in 2017 to resolve the HPE Integrated Lights-out vulnerability. Customers need to follow the remedial steps previously provided in 2017 to upgrade HPE Integrated Lights-out 4 (iLO4). See the security bulletin mentioned below:

This is an exploit of a vulnerability that was disclosed and patched in 2017.

For More Information: The following security bulletin published under CVE (CVE-2017-12542) provide more information and remedial steps to upgrade HPE Integrated Lights-out 4 (iLO 4).

HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf03769en_us

Nafisi · ‎01-14-2022

Hi
I'm from Amnpardaz, which found the rootkit.

I want to clarify some important points that i think if missed, you'll beleive you're safe while you are not.

1 - We've seen fully patched G7 to G9 and even G10 servers' firmware affected by these attacks, while the persistent malware (aka iLOBleed) was currently found only in iLO-4 (G8, G9).

2 - You're not safe even if you've applied the latest patches, because:

a) If your firmware is infected before you upgrade it, the malware will simulate the firmware upgrade process. You'll notice nothing wrong and think you're safe and using the latest patches, while you're not.

b) If you're lucky and have upgraded the firmware before any infections occurred, you're still at risk: HP servers allow downgrading firmware to lower vulnerable versions. So all it takes for the attacker is to downgrade, infect and upgrade it for you.

3 - There is a mechanism in G10 servers (iLO 5) to prevent downgrade. But this is not enabled by default and you have to enable it manually, which maybe you should do right now. (Older servers don't have this option, and until I missed something, there is no way to protect them that I know of)

4 - Currently there is no trusted way to "directly" verify a server's firmware. In fact, there is no way to verify it at all. For this we're publishing a tool soon.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: More information on iLOBleed Rootkit

More information on iLOBleed Rootkit