Each year, August arrives with promises of hot weather and cool security research talks. The DEF CON, Black Hat, and BSidesLV security conferences bring people in from all over the world to share knowledge through conversations, villages, training, and talks. There are always a number of interesting talks, and one that caught our eye was from this year's Black Hat "briefings." It covered vulnerabilities in the HPE iLO 5 firmware discovered by researchers Alexandre Gazet (Senior Security Engineer, Airbus), Fabien Périgaud (Reverse Engineering Team Tech Lead, Synacktiv), and Joffrey Czarny (Red Team Lead, Medallia).

Bypassing encryption to improve iLO security #

HPE's Integrated Lights-Out (iLO) logic is available in many of HPE's server lines, including ProLiant and Gen10 series. Similar to other "lights out" management solutions such as Dell's iDRAC and Supermicro's IPMI boards, iLO supports out-of-band remote management of the servers where it is embedded.

Last year, these security researchers noticed that HPE had begun encrypting the iLO firmware blobs and decided to analyze the new encryption mechanism, with an eye toward surfacing security implications around this new encrypted packaging. Their talk at Black Hat, titled "HPE iLO5 Firmware Security - Go Home Cryptoprocessor, You're Drunk!", digs into their research methods and the vulnerabilities they discovered with iLO. It included a buffer overflow (CVE-2021-29202) that can be locally exploited to allow a privileged user of the system OS to execute code as a privileged user on the iLO itself.

In addition to these researchers' findings, a number of other iLO 5 vulnerabilities had been reported to HPE, including XSS and CRLF injection, affecting multiple versions of iLO 5 firmware on HPE servers that include iLO logic. Ultimately, leading HPE to publish a security bulletin and a new iLO firmware version: 2.44.

How to find vulnerable iLO BMCs with Rumble #

While remaining true to our "unauthenticated scanning" mantra, runZero Explorers and scanners take additional steps when querying iLO assets to provide a rich set of details. Rumble provides a holistic view of each iLO asset–all without authentication–by making pre-auth queries of iLO REST endpoints that return XML-formatted details, and then combining that data with information gleaned from initiating a web login session.

You can locate iLO 5 assets in your inventory currently running vulnerable versions of iLO firmware with this pre-built query:

os:"iLO 5" and (os_version:=1.% or os_version:=2.0% or os_version:=2.1% or os_version:=2.2% or os_version:=2.3% or os_version:=2.40 or os_version:=2.41 or os_version:=2.42 or os_version:=2.43)

iLO query results for devices with vulnerable firmware

As always, any prebuilt queries we create are available from our Queries Library.

Additional iLO details can be found on a per-asset view via "ilo" attributes and also using your Reports page, including what kind of iLO assets are present in your environment, the server assets they are a part of, and all the versions of firmware running on those iLO assets:

Available iLO reports

There is also a specially-crafted CSV export available for iLO devices from your Inventory page, containing many details which are suitable for warranty tracking:

iLO export csv dropdown menu option

Additional details you'll find in this CSV export of your iLO assets include:

  • The configured Insight Remote Support server
  • The health status of the module
  • All active MAC addresses
  • Authentication methods

You can also broaden your search to find ALL of your lights-out assets in your inventory via this query:

type:bmc

Shine a light on your lights-out assets #

Use the Rumble resources we covered in this post to get faster visibility of your iLO assets and their current state. At Rumble, our goal is to build the best products for IT and security professionals through applied research. We hope that you found this post interesting and that you will try it out.

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
runZero Insights
Ensure compliance with DORA’s ICT risk framework using runZero
Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
Life at runZero
Employee Spotlight: Doug Markiewicz
Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved