ProLiant Servers - Netservers
1748256 Members
3720 Online
108760 Solutions
New Discussion

Re: Is ilo4 version 2.03 vulnerable to FREAK Attacks?

 
JimiT
Respected Contributor

Is ilo4 version 2.03 vulnerable to FREAK Attacks?

HI All,

 

I have port forwarding rule enabled to forward https (port 443) to internal iLO4 TCP/IP Address.

 

In the last two weeks I have received an email forwarded to me by my ISP (TPG) originating from the Australian Internet Security Initiative (AISI).

 

The email states my device is susceptible to the FREAK attack, and (incorrectly) states "is causing unwanted traffic to be transmitted, such as spam and viruses".

 

Anyway, I check HP's ilo website and see the FREAK vulnerability was fixed in all versions 1.22+ and above. I originally had 1.52, though did find a later version for iLO4 running on Windows 2012 w/ Essentials version 2.03 -thought why not, so I applied the update and everything seems to be working fine (not that I had any problems before).

 

I use this web tool to confirm if the FREAK vulnerability still exists, (as it did when I tested it against ILO4 1.52) and was surprised to see that it was!

 

https://tools.keycdn.com/freak

 

So I disable the port forwarding rule, re-run the freak test and this time it passes.

 

Now I'm confused, my observation here now is that iLO4 for Windows 2012 w/ Essentials (versions 1.52 and also the latest 2.03) is actually susceptible to the FREAK attacks!!!

 

Can someone please confirm if this is infact the case? Does anyone know of another tool I can test from within my local network for FREAK attack vulnerabilities?

 

Here is the email from TPG forwarding on behalf of AISI...

 

 

Dear Customer (xxx.xxx@tpg.com.au),

We have received reports from the ACMA's Australian Internet Security Initiative (AISI) that a machine accessing the Internet using your TPG Service is causing unwanted traffic to be transmitted, such as spam and viruses.

A summary of the last few complaints have been provided below:

[2015-03-17 21:27:18] [60.xxx.xxx.xxx] Vulnerable Service: HTTPS (FREAK) - remote_port: 443, data: ILOxxxxxxxxxx
[2015-03-16 16:20:13] [60.xxx.xxx.xxx] Vulnerable Service: HTTPS (FREAK) - remote_port: 443, domain_name: 60-xxx-xxx-xxx.static. tpgi. com. au, data: ILOxxxxxxxxxx
[2015-03-15 17:26:38] [60.xxx.xxx.xxx] Vulnerable Service: HTTPS (FREAK) - remote_port: 443, domain_name: 60-xxx-xxx-xxx.static. tpgi. com. au, data: ILOxxxxxxxxxx
[2015-03-14 12:29:33] [60.xxx.xxx.xxx] Vulnerable Service: HTTPS (FREAK) - remote_port: 443, domain_name: 60-xxx-xxx-xxx.static. tpgi. com. au, data: ILOxxxxxxxxxx


It may be that your equipment has been compromised by a hacker or some other malicious software has been installed onto your system. Please obtain an up to date antivirus software and ensure that all your machines are cleaned as a matter of urgency. If you fail to do so and the malicious traffic persists, TPG may take steps to limit it by suspending your service.

For more information about how to protect your computer, please visit the following websites below:

http://www.acma.gov.au/WEB/STANDARD/pc=PC_310316
http://www.staysmartonline.gov.au/home_internet_users/secure_your_computer

If you have any questions about this email or our Terms and Conditions, please contact Customer Service on customer_service@tpg.com.au or
13 14 23.

Thank you.


Kind Regards,

Internet Abuse Team
TPG Internet

E-mail:	abuse@tpg.com.au
Phone:	13 14 23

 

 

 

 

Server Name  xxxxxxxx
Product Name ProLiant MicroServer Gen8 
UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  
Server Serial Number xxxxxxxxxxxx
Product ID 712318-371  
  
  
System ROM J06 
System ROM Date 06/06/2014 
Backup System ROM Date 11/09/2013 
Integrated Remote Console .NET    Java  
License Type iLO 4 Advanced 
iLO Firmware Version  2.03 Nov 07 2014 
IP Address 192.168.0.xxx 
Link-Local IPv6 Address  xxxx::xxxx:xxxx:xxxx:xxxx 
iLO Hostname ILOSGHxxxxxxx. 

Firmware Version Info

HP Dynamic Smart Array B120i Controller 4.50 
HP ProLiant System ROM 06/06/2014 
HP ProLiant System ROM - Backup 11/09/2013 
HP ProLiant System ROM Bootblock 02/04/2012 
iLO 2.03 Nov 07 2014 
Intelligent Provisioning 1.60.1 
Server Platform Services (SPS) Firmware 2.2.0.31.2 
System Programmable Logic Device Version 0x06 

 

 

 

 

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution. Don't forget to Kudo!!
2 REPLIES 2
Jimmy Vance
HPE Pro

Re: Is ilo4 version 2.03 vulnerable to FREAK Attacks?

I have sent your report to the iLO team.

No support by private messages. Please ask the forum! 
Oscar A. Perez
Honored Contributor

Re: Is ilo4 version 2.03 vulnerable to FREAK Attacks?

FREAK is a vulnerability that allows a Man-In-The-Middle (MITM) attacker to force a client to negotiate a weak EXPORT-grade cipher suite and then begin factorizing 512bits RSA keys.

 

Fortunately, users can take care of FREAK by properly configuring iLO. Here is what the you need to do:

 

Step 1) Replace on each iLO the default Self-Signed SSL Certificate with a SSL Certificate signed by your own trusted Certification Authority. Using Self-Signed SSL certificates makes you vulnerable to MITM attacks and they pose a much bigger security risk than FREAK, POODLE, BEAST, CRIME, etc.

All the attacker needs to do is to create a fake Self-Signed SSL certificate then, present it to users who are used to ignore those annoying Browser warnings about untrusted websites. Once the user clicks on the "Continue" button, the MITM attacker takes over the connection and will start seeing all traffic in plaintext.  If you have SSL Self-Signed Certificates, hackers aren't going to spend hours or days factorizing a 512bit RSA keys (FREAK) or manipulating 1 bit of padding (POODLE).

 

Step 2) Once trusted SSL Certificates are imported into your iLOs, enable "Enforce AES/3DES Encryption" in Administration->Security->Encyption menu. This setting will prevent EXPORT-grade cipher suites from being negotiated.

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!