HPE Community
ProLiant Servers (ML,DL,SL)
1753672 Members
5926 Online
108799 Solutions
New Discussion

Re: ILO4 security issues

 
Mauro1967
Occasional Contributor

‎07-19-2017 08:39 AM

‎07-19-2017 08:39 AM

ILO4 security issues

Hi! I have already posted this problems 2 weeks ago, I though it was solved but unfortunately not yet.

My University is scanning all the campus servers with Nessus Vulnerability Scanner and they are complaining that my ILO4 (now just updated to firmware 2.53 May 03 2017) on ProLiant ML350p Gen8 HP server has a "medium" risk level of vulnerability, so they are asking to solve this issue as soon as possible, to avoid potential attacks.

I enclose the "medium" risk entries of the report: all the problems are connected with the 443/tcp port, it seemed I should update the version of SSL protocol to improve cipher, encription and certificate... however I have just updated also OpenSSL to Version : 1.0.1e Release : 57.el6 but the problem persists.

Is anybody able to help me in this respect?

Thank you very much in advance!

Mauro

0 Kudos
Reply
2 REPLIES 2
Oscar A. Perez
Honored Contributor

‎07-19-2017 10:28 AM - edited ‎07-19-2017 10:33 AM

‎07-19-2017 10:28 AM - edited ‎07-19-2017 10:33 AM

Re: ILO4 security issues

Nessus is warning you that your iLOs still have those "untrusted" default Self-Signed SSL Certificates that iLO generates automatically.  You need to replace them with new "trusted" SSL Certificates issued by the University's Certification Authority.

The other two issues can be resolved by enabling in iLO an option called "Enforce AES Encryption"




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
parnassus
Honored Contributor

‎07-19-2017 11:14 AM

‎07-19-2017 11:14 AM

Re: ILO4 security issues

Exposing iLO4 on public Internet address of your University also doesn't help WTR...by the way HPE iLO4 2.54 (July, 7th 2017) is already out (no "security" related fixes...but won't hurt stay update).

I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.