- Integrated Systems
- About Us
- Integrated Systems
- About Us
03-28-2015 06:16 PM - edited 03-28-2015 06:35 PM
Is ilo4 version 2.03 vulnerable to FREAK Attacks?
I have port forwarding rule enabled to forward https (port 443) to internal iLO4 TCP/IP Address.
In the last two weeks I have received an email forwarded to me by my ISP (TPG) originating from the Australian Internet Security Initiative (AISI).
The email states my device is susceptible to the FREAK attack, and (incorrectly) states "is causing unwanted traffic to be transmitted, such as spam and viruses".
Anyway, I check HP's ilo website and see the FREAK vulnerability was fixed in all versions 1.22+ and above. I originally had 1.52, though did find a later version for iLO4 running on Windows 2012 w/ Essentials version 2.03 -thought why not, so I applied the update and everything seems to be working fine (not that I had any problems before).
I use this web tool to confirm if the FREAK vulnerability still exists, (as it did when I tested it against ILO4 1.52) and was surprised to see that it was!
So I disable the port forwarding rule, re-run the freak test and this time it passes.
Now I'm confused, my observation here now is that iLO4 for Windows 2012 w/ Essentials (versions 1.52 and also the latest 2.03) is actually susceptible to the FREAK attacks!!!
Can someone please confirm if this is infact the case? Does anyone know of another tool I can test from within my local network for FREAK attack vulnerabilities?
Here is the email from TPG forwarding on behalf of AISI...
Dear Customer (email@example.com), We have received reports from the ACMA's Australian Internet Security Initiative (AISI) that a machine accessing the Internet using your TPG Service is causing unwanted traffic to be transmitted, such as spam and viruses. A summary of the last few complaints have been provided below: [2015-03-17 21:27:18] [60.xxx.xxx.xxx] Vulnerable Service: HTTPS (FREAK) - remote_port: 443, data: ILOxxxxxxxxxx [2015-03-16 16:20:13] [60.xxx.xxx.xxx] Vulnerable Service: HTTPS (FREAK) - remote_port: 443, domain_name: 60-xxx-xxx-xxx.static. tpgi. com. au, data: ILOxxxxxxxxxx [2015-03-15 17:26:38] [60.xxx.xxx.xxx] Vulnerable Service: HTTPS (FREAK) - remote_port: 443, domain_name: 60-xxx-xxx-xxx.static. tpgi. com. au, data: ILOxxxxxxxxxx [2015-03-14 12:29:33] [60.xxx.xxx.xxx] Vulnerable Service: HTTPS (FREAK) - remote_port: 443, domain_name: 60-xxx-xxx-xxx.static. tpgi. com. au, data: ILOxxxxxxxxxx It may be that your equipment has been compromised by a hacker or some other malicious software has been installed onto your system. Please obtain an up to date antivirus software and ensure that all your machines are cleaned as a matter of urgency. If you fail to do so and the malicious traffic persists, TPG may take steps to limit it by suspending your service. For more information about how to protect your computer, please visit the following websites below: http://www.acma.gov.au/WEB/STANDARD/pc=PC_310316 http://www.staysmartonline.gov.au/home_internet_users/secure_your_computer If you have any questions about this email or our Terms and Conditions, please contact Customer Service on firstname.lastname@example.org or 13 14 23. Thank you. Kind Regards, Internet Abuse Team TPG Internet E-mail: email@example.com Phone: 13 14 23
Server Name xxxxxxxx Product Name ProLiant MicroServer Gen8 UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Server Serial Number xxxxxxxxxxxx Product ID 712318-371 System ROM J06 System ROM Date 06/06/2014 Backup System ROM Date 11/09/2013 Integrated Remote Console .NET Java License Type iLO 4 Advanced iLO Firmware Version 2.03 Nov 07 2014 IP Address 192.168.0.xxx Link-Local IPv6 Address xxxx::xxxx:xxxx:xxxx:xxxx iLO Hostname ILOSGHxxxxxxx. Firmware Version Info HP Dynamic Smart Array B120i Controller 4.50 HP ProLiant System ROM 06/06/2014 HP ProLiant System ROM - Backup 11/09/2013 HP ProLiant System ROM Bootblock 02/04/2012 iLO 2.03 Nov 07 2014 Intelligent Provisioning 1.60.1 Server Platform Services (SPS) Firmware 126.96.36.199.2 System Programmable Logic Device Version 0x06
03-30-2015 08:15 AM - edited 03-30-2015 08:25 AM
Re: Is ilo4 version 2.03 vulnerable to FREAK Attacks?
FREAK is a vulnerability that allows a Man-In-The-Middle (MITM) attacker to force a client to negotiate a weak EXPORT-grade cipher suite and then begin factorizing 512bits RSA keys.
Fortunately, users can take care of FREAK by properly configuring iLO. Here is what the you need to do:
Step 1) Replace on each iLO the default Self-Signed SSL Certificate with a SSL Certificate signed by your own trusted Certification Authority. Using Self-Signed SSL certificates makes you vulnerable to MITM attacks and they pose a much bigger security risk than FREAK, POODLE, BEAST, CRIME, etc.
All the attacker needs to do is to create a fake Self-Signed SSL certificate then, present it to users who are used to ignore those annoying Browser warnings about untrusted websites. Once the user clicks on the "Continue" button, the MITM attacker takes over the connection and will start seeing all traffic in plaintext. If you have SSL Self-Signed Certificates, hackers aren't going to spend hours or days factorizing a 512bit RSA keys (FREAK) or manipulating 1 bit of padding (POODLE).
Step 2) Once trusted SSL Certificates are imported into your iLOs, enable "Enforce AES/3DES Encryption" in Administration->Security->Encyption menu. This setting will prevent EXPORT-grade cipher suites from being negotiated.
If you feel this was helpful please click the KUDOS! thumb below!