You are here

Home › HPE integrated Lights Out (iLO) - Remote Code Execution Vulnerability

HPE integrated Lights Out (iLO) - Remote Code Execution Vulnerability

Submitted on 25. August 2017 - 9:12 by rischi.
Last update on 12. July 2018 - 10:22.
IDs: 
CVE-2017-12542
Keywords: 
HP, HPE, iLO, hardware
Description: 

A severe security vulnerability has been identified in HPE Integrated Lights-out used for remote administration of HP server systems. The vulnerability can be exploited remotely to allow authentication bypass and execution of code [1]. iLO4 version prior 2.53 are affected.

Airlock WAF is affected when running on an HP system running a vulnerable iLO 4 version.

The attack complexity for this vulnerability is very low and exploits are public available [3].

Resolution: 

We highly recommend to update all HP systems running a vulnerable iLO 4 firmware. Firmware updates are available here [2]. Further, we recommend to restrict access to iLO to a trusted local network or to completely deactivate iLO.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution
Reference: 
[1] HPESBHF03769 rev.1 - HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities
[2] HPE iLO 4 firmware updates
[3] HPE iLO 4 < 2.53 - Add New Administrator User
© Ergon Informatik AG