HPE Community
Server Management - Remote Server Management
1752482 Members
5881 Online
108788 Solutions
New Discussion

Re: iLO 4 Ripple20

 
SOLVED
Go to solution
shenanigans
Occasional Collector

‎08-05-2020 04:03 AM

‎08-05-2020 04:03 AM

iLO 4 Ripple20

Currently HP lists iLO 2 and 5 on this Ripple20 page but iLO 4 is not listed. is HP developing a patch for Ripple 20 for iLO 4 devices. (HP Gen 8 and Gen9 servers in our case)

https://techhub.hpe.com/eginfolib/securityalerts/Ripple20/Ripple20.html

 

3 people had this problem.
0 Kudos
Reply
8 REPLIES 8
MissionCritical
Senior Member

‎08-05-2020 10:18 AM

‎08-05-2020 10:18 AM

Re: iLO 4 Ripple20

Our team was wondering this as well.  We have a bunch of iLo 3 and 4's showing up on our vulnerability reports, yet on the page you sent, they are not listed.  Does anyone know if HPE is working on updating these versions of iLo as well ? 

Reply
rwagenmann
Frequent Visitor

‎08-05-2020 04:22 PM - edited ‎08-05-2020 04:25 PM

‎08-05-2020 04:22 PM - edited ‎08-05-2020 04:25 PM

Re: iLO 4 Ripple20

I reached out to HPE Support who sent me to HPE Cyber Security who sent me to the HPE Product Security Response Team.  They reported the following:

HPE product engineering teams are still in the process of evaluating Ripple20 product impacts, and implementing and testing patches for impacted products. HPE will not disclose impacted products until patches are available for them. HPE PSRT will issue or revise security bulletins and update the Security Vulnerability Alerts Ripple20 web page for impacted products when those patches become available.

It looks like it may be impacted, but HPE hasn't released a fix for it so they won't confirm it.  If you look more into the Nessus scan results, you will see that it's only reporting that the Treck stack was found on that device, but not that it was vulnerable.  Tenable has a blog post online that they will be releasing plugins for the individual vulnerabilities as they develop them.  You can see the list of vulnerabilities using this plugin search.  Right now, only 137702 is shown which just detects the stack, but the others should show up over time.

Reply
shenanigans
Occasional Collector

‎08-05-2020 04:33 PM - edited ‎08-05-2020 04:35 PM

‎08-05-2020 04:33 PM - edited ‎08-05-2020 04:35 PM

Re: iLO 4 Ripple20

thank you for reaching out to support on our behalf. we will be watching the page for sure.

0 Kudos
Reply
Ravi2019
HPE Pro

‎08-06-2020 02:27 AM

‎08-06-2020 02:27 AM

Re: iLO 4 Ripple20

Hello sir,

iLO 4 security feature Ripple20 is need to modify with firmware or write a protactive feature.

furtht to get the support on the ILO 4 ecureity fueature, kindly reach to HPE security support team.

HPE Integrated Lights Out (iLO 4) - Document List

https://internal.support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00043732en_us

HPE PRODUCT SECURITY PRACTICES

https://www.hpe.com/in/en/services/security-vulnerability.html

Thank you

Ravi swamy

I am a HPE Employee

Accept or Kudo

0 Kudos
Reply
rwagenmann
Frequent Visitor

‎08-06-2020 07:49 AM

‎08-06-2020 07:49 AM

Re: iLO 4 Ripple20

Ravi2019,

I contacted HPE support and no firmware or confirmation of the vulnerability is available.  They did confirm they are still reviewing some products and won't make any statements until a patch is available. The latest ILO 4 firmware is 4.73 which was released before the Ripple20 vulnerabilities were publicized. 

0 Kudos
Reply
Raviswamy
Advisor

‎08-07-2020 10:04 AM

‎08-07-2020 10:04 AM

Re: iLO 4 Ripple20

Hello Sir,

thanks for your update.

As the iLO security feature is not available, further to isolate and fix the security feature what I suggest log a support case with HPE.

Regards

Ravi swamy

I am a HPE Employee
0 Kudos
Reply
rwagenmann
Frequent Visitor

‎08-11-2020 08:09 AM

‎08-11-2020 08:09 AM

Re: iLO 4 Ripple20

Raviswamy,

As stated in my last reply, I did submit a support case. They said what I included in my replay to shenanigans above.

0 Kudos
Reply
rwagenmann
Frequent Visitor

‎08-18-2020 02:22 PM - edited ‎08-18-2020 02:23 PM

‎08-18-2020 02:22 PM - edited ‎08-18-2020 02:23 PM

Solution

Re: iLO 4 Ripple20

The HPE Product Security Team just notified me that HPE has confirmed the vulnerability with ILO 4 and released firmware 2.75 to fix it.  You can download the latest firmware from the HPE Support Center.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.