BlackHat gems HP iLO 5 vulnerabilities


Each year, August arrives with promises of hot weather and cool security research talks. The DEF CON, Black Hat, and BSidesLV security conferences bring people in from all over the world to share knowledge through conversations, villages, training, and talks. There are always a number of interesting talks, and one that caught our eye was from this year's Black Hat "briefings." It covered vulnerabilities in the HPE iLO 5 firmware discovered by researchers Alexandre Gazet (Senior Security Engineer, Airbus), Fabien Périgaud (Reverse Engineering Team Tech Lead, Synacktiv), and Joffrey Czarny (Red Team Lead, Medallia).

Bypassing encryption to improve iLO security #

HPE's Integrated Lights-Out (iLO) logic is available in many of HPE's server lines, including ProLiant and Gen10 series. Similar to other "lights out" management solutions such as Dell's iDRAC and Supermicro's IPMI boards, iLO supports out-of-band remote management of the servers where it is embedded.

Last year, these security researchers noticed that HPE had begun encrypting the iLO firmware blobs and decided to analyze the new encryption mechanism, with an eye toward surfacing security implications around this new encrypted packaging. Their talk at Black Hat, titled "HPE iLO5 Firmware Security - Go Home Cryptoprocessor, You're Drunk!", digs into their research methods and the vulnerabilities they discovered with iLO. It included a buffer overflow (CVE-2021-29202) that can be locally exploited to allow a privileged user of the system OS to execute code as a privileged user on the iLO itself.

In addition to these researchers' findings, a number of other iLO 5 vulnerabilities had been reported to HPE, including XSS and CRLF injection, affecting multiple versions of iLO 5 firmware on HPE servers that include iLO logic. Ultimately, leading HPE to publish a security bulletin and a new iLO firmware version: 2.44.

How to find vulnerable iLO BMCs with Rumble #

While remaining true to our "unauthenticated scanning" mantra, runZero Explorers and scanners take additional steps when querying iLO assets to provide a rich set of details. Rumble provides a holistic view of each iLO asset–all without authentication–by making pre-auth queries of iLO REST endpoints that return XML-formatted details, and then combining that data with information gleaned from initiating a web login session.

You can locate iLO 5 assets in your inventory currently running vulnerable versions of iLO firmware with this pre-built query:

os:"iLO 5" and (os_version:=1.% or os_version:=2.0% or os_version:=2.1% or os_version:=2.2% or os_version:=2.3% or os_version:=2.40 or os_version:=2.41 or os_version:=2.42 or os_version:=2.43)

iLO query results for devices with vulnerable firmware

As always, any prebuilt queries we create are available from our Queries Library.

Additional iLO details can be found on a per-asset view via "ilo" attributes and also using your Reports page, including what kind of iLO assets are present in your environment, the server assets they are a part of, and all the versions of firmware running on those iLO assets:

Available iLO reports

There is also a specially-crafted CSV export available for iLO devices from your Inventory page, containing many details which are suitable for warranty tracking:

iLO export csv dropdown menu option

Additional details you'll find in this CSV export of your iLO assets include:

  • The configured Insight Remote Support server
  • The health status of the module
  • All active MAC addresses
  • Authentication methods

You can also broaden your search to find ALL of your lights-out assets in your inventory via this query:


Shine a light on your lights-out assets #

Use the Rumble resources we covered in this post to get faster visibility of your iLO assets and their current state. At Rumble, our goal is to build the best products for IT and security professionals through applied research. We hope that you found this post interesting and that you will try it out.

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

runZero Insights
Using runZero to verify network segmentation
There are many benefits of network segmentation, and fact checking proper implementation can be a difficult, arduous task. runZero is here to help...
Life at runZero
Employee Spotlight: James McNulty
James is our website manager and dynamic SEO strategist! Read on to learn about James' journey on the Marketing team at runZero!
Product Release
Introducing the customizable dashboard, Wiz integration, and more!
Introducing the customizable dashboard, Wiz Integration, and other Q2 2024 enhancements to the runZero Platform.
Product Release
How to integrate your SIEM platform with runZero to create an actionable asset inventory
Learn how to combine runZero's real-time asset inventory with SIEM exports for comprehensive asset tracking and historical data analysis..

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved