You are here

HPE integrated Lights Out (iLO) - Remote Code Execution Vulnerability

IDs: 
CVE-2017-12542
Keywords: 
HP, HPE, iLO, hardware
Description: 

A severe security vulnerability has been identified in HPE Integrated Lights-out used for remote administration of HP server systems. The vulnerability can be exploited remotely to allow authentication bypass and execution of code [1]. iLO4 version prior 2.53 are affected.

Airlock WAF is affected when running on an HP system running a vulnerable iLO 4 version.

The attack complexity for this vulnerability is very low and exploits are public available [3].

Resolution: 

We highly recommend to update all HP systems running a vulnerable iLO 4 firmware. Firmware updates are available here [2]. Further, we recommend to restrict access to iLO to a trusted local network or to completely deactivate iLO.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution