Hewlett Packard Enterprise has patched a vulnerability in its remote management hardware called Integrated Lights-Out 3 that is used in its popular line of HP ProLiant servers. The bug allows an attacker to launch an unauthenticated remote denial of service attack that could contribute to a crippling on vulnerable datacenters under some conditions.
The vulnerability (CVE-2017-8987) is rated “high severity”, with a CVSS base score of 8.6, and was discovered by Rapid7 researchers in September. HPE publicly reported the bug on Feb. 22 and has made patches available.
Affected is the v1.88 firmware for HPE’s Integrated Lights-Out 3 (iLO3). Not impacted are newer versions of the firmware (1.8, 1.82, 1.85, and 1.87) along with firmware for iLO4 (v2.55). iLO5 devices were not tested, according to a Rapid7 technical brief on the vulnerability written by Sam Huckins, the company’s program manager.
The Hewlett-Packard iLO is an embedded server management technology for ProLiant servers that consists of a physical card with a separate network connection. It allows system administrators to remotely manage servers.
“An attacker who has already compromised a network can now can easily lock out an admin from fixing or mitigating against an attack,” said Tod Beardsley, Rapid7’s research director. “An attacker can use this to make a data center go dark and keep it that way by locking out remote management and mitigation.” Alternatively, system administrators will have to tackle on-premises fixes.
According to Beardsley, an attacker sharing the same network as a vulnerable iLO3 can simply send several HTTP requests and cause the iLO3 device (running firmware v1.88) to stop responding for up to 10 minutes.
One of those examples includes using a Secure Socket Shell where an “open sessions will become unresponsive; new SSH sessions will not be established.” In another scenario with a web portal “users cannot log into the web portal; the login page will not successfully load,” according to Rapid7.
Where as HTTP GET and POST requests are benign, curl -X OPTIONS request to an iLO3 device can trigger the DoS condition. “Any method requested other than GET or POST will trigger the DoS, even invalid ones,” Beardsley wrote. “Ten minutes after the DoS is triggered, the watchdog (automatic system recovery) service restarts the device.”
“An attack doesn’t require authentication. The device itself requires some kind of authentication, such as a web portal that you use to like login. But this attack comes in before that. The attack is literally just an HTTP command,” Beardsley said.
According to Rapid7, HP’s Integrated Lights-Out is not on by default, which likely disqualifies many ProLiant from the vulnerability.