Community
Server Management - Remote Server Management

More information on iLOBleed Rootkit

 
SOLVED
Go to solution
steez
Frequent Advisor

‎01-03-2022 02:28 AM - last edited on ‎01-05-2022 09:36 PM by

‎01-03-2022 02:28 AM - last edited on ‎01-05-2022 09:36 PM by

More information on iLOBleed Rootkit

Hello everyone,

As you all may know an iLO security risk has been published by various sources named iLOBleed Rootkit.

Is there a KB, Advisory or any other document from HPE acknowledging the issue? What is the likelyhood of the systems to get infected? When should we receive an update for this threat and is there a CVS score for this?

Unfortunately I couldn't find any information about this threat, except for the non-HPE sources.

 

4 people had this problem.
Reply
10 REPLIES 10
Johnmcc215
Occasional Visitor

‎01-03-2022 01:07 PM - edited ‎01-03-2022 01:51 PM

‎01-03-2022 01:07 PM - edited ‎01-03-2022 01:51 PM

Re: More information on iLOBleed Rootkit

https://securityaffairs.co/wordpress/126157/malware/ilobleed-wiper-hp-servers.html 

 

Have been checking for an update since i read about this. 

0 Kudos
Reply
Johnmcc215
Occasional Visitor

‎01-03-2022 02:24 PM

‎01-03-2022 02:24 PM

Re: More information on iLOBleed Rootkit

Actually, seems HPE disclosed this in 2018.

https://www.techtarget.com/searchsecurity/news/252511500/Threat-actors-target-HPE-iLO-hardware-with-rootkit-attack 

 

 

0 Kudos
Reply
tashika92
Occasional Visitor

‎01-04-2022 06:43 AM

‎01-04-2022 06:43 AM

Re: More information on iLOBleed Rootkit

Is anybody got any more information about this? At the moment all I can see just copies of different articles on different websites.

 It's pretty hard for an MSP to monitor customers ILO. Anybody got any tips or tricks to do this?

If you want or upgrade firmware do you need a valid warranty from HPE?  

 

thanks

Tom

0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎01-04-2022 07:18 AM

‎01-04-2022 07:18 AM

Re: More information on iLOBleed Rootkit

Avoid running old outdated firmware-

Keep the firmware current

https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_97f5079671c84a11ac776a92cb


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Tired_Admin
Occasional Visitor

‎01-04-2022 12:41 PM

‎01-04-2022 12:41 PM

Re: More information on iLOBleed Rootkit

Is the issue actually resolved in updated firmware?  I cant find anything from HPE to say it is 

Reply
Superscouser
Senior Member

‎01-04-2022 01:45 PM

‎01-04-2022 01:45 PM

Re: More information on iLOBleed Rootkit

HPESBHF03769 rev.2 - HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities

David J Pierce
0 Kudos
Reply
techin
Regular Advisor

‎01-04-2022 09:53 PM

‎01-04-2022 09:53 PM

Re: More information on iLOBleed Rootkit

Read this sometime back:

https://www.hpe.com/us/en/insights/articles/rise-in-attacks-exposes-neglected-firmware-security-2111.html

0 Kudos
Reply
Tired_Admin
Occasional Visitor

‎01-05-2022 10:29 AM

‎01-05-2022 10:29 AM

Solution

Re: More information on iLOBleed Rootkit

I had opened a ticket with HPE support for this and they confirmed it was patched in 2017 as a previous poster reported

Greetings from HPE!


This is regarding the above mentioned HPE case.

The rootkit named iLOBleed is based on the malware module Implant.ARM.iLOBleed discovered in the iLO firmware.

The security vulnerability affects HPE Integrated Lights-out 4 (iLO 4) and was previously disclosed and patched in 2017. HPE Integrated Lights-out 5 (iLO 5) is not affected.

Actions: HPE provided firmware updates in 2017 to resolve the HPE Integrated Lights-out vulnerability. Customers need to follow the remedial steps previously provided in 2017 to upgrade HPE Integrated Lights-out 4 (iLO4). See the security bulletin mentioned below:

This is an exploit of a vulnerability that was disclosed and patched in 2017.

For More Information: The following security bulletin published under CVE (CVE-2017-12542) provide more information and remedial steps to upgrade HPE Integrated Lights-out 4 (iLO 4).

HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf03769en_us

Reply
Nafisi
Visitor

‎01-14-2022 04:22 AM

‎01-14-2022 04:22 AM

Re: More information on iLOBleed Rootkit

Hi
I'm from Amnpardaz, which found the rootkit.

I want to clarify some important points that i think if missed, you'll beleive you're safe while you are not.

1 - We've seen fully patched G7 to G9 and even G10 servers' firmware affected by these attacks, while the persistent malware (aka iLOBleed) was currently found only in iLO-4 (G8, G9).

2 - You're not safe even if you've applied the latest patches, because:

a) If your firmware is infected before you upgrade it, the malware will simulate the firmware upgrade process. You'll notice nothing wrong and think you're safe and using the latest patches, while you're not.

b) If you're lucky and have upgraded the firmware before any infections occurred, you're still at risk: HP servers allow downgrading firmware to lower vulnerable versions. So all it takes for the attacker is to downgrade, infect and upgrade it for you.

3 - There is a mechanism in G10 servers (iLO 5) to prevent downgrade. But this is not enabled by default and you have to enable it manually, which maybe you should do right now. (Older servers don't have this option, and until I missed something, there is no way to protect them that I know of)

4 - Currently there is no trusted way to "directly" verify a server's firmware. In fact, there is no way to verify it at all. For this we're publishing a tool soon.

 

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.