Hewlett Packard Enterprise (HPE), set up by HP in late 2015, has released a security patch to address a security vulnerability in its remote management tool, HPE Integrated Lights-Out 3 (iLO 3) (CVE -2017-8987).
iLO cards have a separate network connection (that is, their own IP address) for remote management of ProLiant servers. With iLO’s remote management capabilities, users can manage ProLiant servers off-site as if they were in the field, saving on travel costs and increasing productivity, extending system uptime.
Researchers at Rapid7 Inc., an IT security solutions provider, uncovered a vulnerability in iLO 3 in September 2017, described as “high-severity” and an 8.6-point CVSS base score.
Remote attackers can exploit this vulnerability to initiate a denial of service (DoS) attacks, which can create serious problems for the data center under certain circumstances.
According to Rapid7’s description, several HTTP request methods can cause iLO3 devices running firmware version v1.88 to stop responding in a variety of ways within 10 minutes:
- SSH: open sessions will become unresponsive; new SSH sessions will not be established
- Web portal: users cannot log in to the web portal; the login page will not successfully load
Rapid7 said they did not test for iLO 5. And said that the following four methods of invocation will also trigger a denial of service:
curl -X OPTIONS hp-ilo-3.testing.your-org.com
curl -X PROPFIND hp-ilo-3.testing.your-org.com
curl -X PUT hp-ilo-3.testing.your-org.com
curl -X TRACE hp-ilo-3.testing.your-org.com
HP and the company disclosed the vulnerability publicly on February 22 and reminded users to upgrade to iLO 3 (V1.89) provided by the HPE Support Center. In addition, firmware versions 1.8, 1.82, 1.85 and 1.87) and iLO 4 (v2.55) are not affected.
Reference: Rapid7
