HPE Community
ProLiant Servers (ML,DL,SL)
1820258 Members
2965 Online
109622 Solutions
New Discussion

iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

 
pablo808
Occasional Collector

‎07-14-2014 06:13 PM - edited ‎07-14-2014 06:17 PM

‎07-14-2014 06:13 PM - edited ‎07-14-2014 06:17 PM

iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

I have a set of HP DL380p G8 servers with iLO 4.

 

The Nessus security scanners are picking up a high vulnerability on the iLO IP's with the latest firmware v1.51 (23 June 2014) installed

 

OpenSSL 'ChangeCipherSpec' MiTM Vulnerability on TCP/443

CVE-2014-0224

https://www.openssl.org/news/secadv_20140605.txt

 

When can we expect an updated firmware to be released to address this?

 

Thanks.

 

1 person had this problem.
0 Kudos
Reply
4 REPLIES 4
Fer_HP
Occasional Visitor

‎07-23-2014 01:03 AM

‎07-23-2014 01:03 AM

Re: iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

I am having the same problem but I cannot fin any update on the HP website regarding this.

 

I guess we'll need to wait for HP to release a new firmware for iLO4.

 

Btw, I am running 1.51 too.

 

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎07-23-2014 06:29 AM - edited ‎07-23-2014 06:31 AM

‎07-23-2014 06:29 AM - edited ‎07-23-2014 06:31 AM

Re: iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

Quick question.

 

Do your iLOs have the self-signed SSL certificate that iLO automatically creates or you have replaced the self-signed certs with your own 'valid' SSL certificates?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Fer_HP
Occasional Visitor

‎07-25-2014 12:26 AM

‎07-25-2014 12:26 AM

Re: iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

I have  the self-signed SSL certificate that iLO creates by default.

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎07-25-2014 06:44 AM - edited ‎09-02-2014 06:39 AM

‎07-25-2014 06:44 AM - edited ‎09-02-2014 06:39 AM

Re: iLO 4 firmware v1.51 & OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

If you have the default self-signed SSL certificate then, you are vulnerable to MiTM attacks no matter what.  

 

So, if you are really into securing your environment, please get those self-signed SSL certificates replaced with SSL certificates signed by your own trusted Certification Authority and also instruct all your users to not ignore Browsers warnings about "untrusted certificates" when login into your iLOs.

 

 

About the CCS Injection vulnerability. Most security scanners are doing a poor job detecting it and this is causing lots of false positives out there, just like in this iLO4 case.  

The scanner is expecting that the SSL server will always send out a SSL alert when an early Change Cipher Spec is received but, some SSL libraries (like the one used in iLO4) would just silently drop the early Change Cipher Spec message and never send out an alert.  

The RFC5246 is not clear about what to do with early Change Cipher Spec messages so, it's been up the each SSL implementation out there to decide what to do with early CCS.

 

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.