This is a Python service relaying read and write queries from PCILeech to an HP iLO4 device flashed with a modified firmware.
[…]Release Date: 2018-10-30[…]
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.[…]
A new detection tool in Python3:
#Yalnizca ProLiant DL180 ve ProLiant DL360 tipi sunucular icin firmware kontrolune uygundur.
#This script performs firmware checks for only ProLiant DL180 and ProLiant DL360.
lol, this was a sponsored ad by HP, not a story by an author. Tricked me. 🙂
[…]Commercial-grade UEFI malware, which infects a device’s firmware, has been known to exist since at least 2015, and it’s only a matter of time before it’s used in a focused attack.[…]
Re: https://firmwaresecurity.com/2018/06/11/subverting-your-server-through-its-bmc-the-hpe-ilo4-case-presentation-toolbox/ and https://firmwaresecurity.com/2018/06/20/airbus-seclab-ilo4_toolbox-more-info-uploaded/
Release Date: 2018-06-26
Senior UEFI Development Engineer
Job ID 1023806
Strong knowledge in UEFI security or firmware security in general.
Strong knowledge in TPM, Secure Boot, TXT, and RSA.
Knowledge of industry standard technologies including ACPI, USB, SMBIOS, IPMI, Redfish, and PCI express.
8+ years’ experience in firmware or BIOS/UEFI development.
In-depth knowledge of UEFI architecture and development (focused on the EDK2 development environment).
“[…]Summer intern to work on the iLO team (Integrated Lights Out).
iLO firmware provides industry leading remote management in each HPE ProLiant server.
This position will be to work on enhancements in our functionality and tools.[…]”
PCR0 (TPM 1.2, TXT disabled) = 3864B052A7A5E8D0D68C6B525CE7C264042FFD9C (SHA1)
PCR0 (TPM 1.2, TXT enabled) = A53040199863DE972A57CDCCBA5A1D595B8D622F (SHA1)
PCR0 (TPM 2.0 SHA256, TXT disabled) = 8F6FD3E49706E7EFDAFD56FB55FB8E02FC9766BE482C07D80D8AB2081CF5B196 (SHA256)
PCR0 (TPM 2.0 SHA256, TXT enabled) = B0D9EC8871DABC7D931A6EB0783CDFB3DAA2422F8999301CC4954D1FD2879E77 (SHA256)
Two suggestions: 1) use HTTPS not HTTP for web site. 2) Include a hash for the blobs.
Getting HPE MSA Storage firmware just got easier
Making things easier for customers is always a good idea. Kipp Glover from our HPE Storage Total Customer Experience & Quality team has been working to do that. Kipp wanted to make the process easy for HPE MSA Storage customers to get the latest firmware and related information like release notes and the firmware history for each of the last three generations of MSA models. Kipp and his team worked with our hpe.com people to create the website to make getting the latest MSA firmware easy. The website is hpe.com/storage/MSAFirmware. Kipp also created a short video that shows how to navigate the site so I wanted to share that with you.
Subverting your server through its BMC: the HPE iLO4 case
iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides every feature required by a system administrator to remotely manage a server without having to reach it physically. Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators. We’ve performed a deep dive security study of HP iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9 servers) and the results of this study were presented at the REcon conference held in Brussels (February 2 – 4, 2018, see ). iLO4 runs on a dedicated ARM processor embedded in the server, and is totally independent from the main processor. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network interface. On the software side, the operating system is the proprietary RTOS GreenHills Integrity .[…]
[…]The research were done by reading the code of SynTP.sys, I couldn’t verify if it’s correct or not. I tried to find HP laptop for rent and asked a few communities about that but got almost no replies. One guy even thought that I am a thief trying to rob someone. So, I messaged HP about the finding. They replied terrificly fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace. Get the list of affected models and fixed driver at HP website. The update also available via Windows update.[…]
Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode
Ronny Chevalier, Maugan Villatel, David Plaquin, Guillaume Hiet
Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that links to an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to solve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor a specific target. We apply this approach to detect system management mode (SMM), a highly privileged x86 executable mode executing firmware code at runtime. We model the behavior of SMM using CPU registers (CR3 and SMBASE). We have two open-source firmware implementations: EDK II and coreboot. We evaluate the ability to detect and detect the effects of ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (ie, less than the 150 μs threshold defined by Intel).
Responsibilities: Four-year university students who are working in a technical internship role at hp during their study or in summer breaks between university semesters.
Education and Experience Required: High School Degree 3rd Year of University completed–typically a technical degree specialization.
Hewlett Packard Enterprise Support Center
HPESBHF03769 rev.1 – HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities
Document ID: hpesbhf03769en_us
Last Updated: 2017-08-24
Potential Security Impact: Remote: Authentication Bypass, Code Execution:
A potential security vulnerability has been identified in HPE Integrated Lights-out (iLO 4). The vulnerability could be exploited remotely to allow authentication bypass and execution of code. […] Hewlett Packard Enterprise would like to thank Fabien Perigaud of Airbus Defense and Space CyberSecurity for reporting this vulnerability.
“Limited details are available to describe this vulnerability or how this vulnerability could be exploited by an attacker. However, a successful exploit of this vulnerability could result in a complete system compromise.”
[EN] Keylogger in Hewlett-Packard Audio Driver
Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation. Here, we often find all sorts of dangerous and ill-conceived stuff. We want to present one of these casually identified cases now, as it’s quite an interesting one: We have discovered a keylogger in an audio driver package by Hewlett-Packard. A keylogger is a piece of software for which the case of dual-use can rarely be claimed. This means there are very few situations where you would describe a keylogger that records all keystrokes as ‘well-intended’. A keylogger records when a key is pressed, when it is released, and whether any shift or special keys have been pressed. It is also recorded if, for example, a password is entered even if it is not displayed on the screen.[…]There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful. If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user[…]
Tim Lewis of Insyde has a blog post with an update for the UEFI plugfest. *Multiple* presentations on security!!
State of UEFI – Mark Doran (Intel)
Keynote: China Information Technology Ecosystem – Guangnan Ni (Chinese Academy of Engineering).
The Role of UEFI Technologies Play in ARM Platform Architecture – Dong Wei (ARM)
ARM Server’s Firmware Security – Zhixiong (Jonathan) Zhang, Cavium
SMM Protection in EDK II – Jiewen Yao (Intel)
Server RAS and UEFI CPER – Mao Lucia and Spike Yuan (Intel)
A More Secure and Better User Experience for OS-based Firmware Update – David Liu (Phoenix)
UEFI and IoT: Best Practices in Developing IoT Firmware Solutions – Hawk Chen (Byosoft)
Establishing and Protecting a Chain of Trust with UEFI – David Chen (Insyde)
Implementation of Hypervisor in UEFI Firmware – Kangkang Shen (Huawei)
Lessons Learned from Implementing a Wi-Fi and BT Stack – Tony Lo (AMI)
UEFI Development Anti-Patterns – Chris Stewart (HP)