This is a Python service relaying read and write queries from PCILeech to an HP iLO4 device flashed with a modified firmware.
Tag: HP
HPE iLOv5 Firmware Updates, Local Bypass of Security Restrictions
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03894en_us
[…]Release Date: 2018-10-30[…]
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.[…]
lojax_uefi_rootkit_checker: detect LoJax UEFI malware (on some HP ProLiant DLxxx systems)
Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/
A new detection tool in Python3:
#Yalnizca ProLiant DL180 ve ProLiant DL360 tipi sunucular icin firmware kontrolune uygundur.
#This script performs firmware checks for only ProLiant DL180 and ProLiant DL360.
https://github.com/evgind/lojax_uefi_rootkit_checker
Cybercrime is changing. Your business needs to be resilient
lol, this was a sponsored ad by HP, not a story by an author. Tricked me. 🙂
[…]Commercial-grade UEFI malware, which infects a device’s firmware, has been known to exist since at least 2015, and it’s only a matter of time before it’s used in a focused attack.[…]
http://www.itpro.co.uk/security/31388/cybercrime-is-changing-your-business-needs-to-be-resilient
HP iLO: a bit more on CVE-2017-12542
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://github.com/skelsec/CVE-2017-12542
HPE: iLO: Remote Unauthorized Modification of Information
Re: https://firmwaresecurity.com/2018/06/11/subverting-your-server-through-its-bmc-the-hpe-ilo4-case-presentation-toolbox/ and https://firmwaresecurity.com/2018/06/20/airbus-seclab-ilo4_toolbox-more-info-uploaded/
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2018-06-26
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03844en_us
Subverting your server through it’s BMC: the HPE iLo4 case (presentation + toolbox)
HPE seeks senior UEFI developer
Senior UEFI Development Engineer
Job ID 1023806
Strong knowledge in UEFI security or firmware security in general.
Strong knowledge in TPM, Secure Boot, TXT, and RSA.
Knowledge of industry standard technologies including ACPI, USB, SMBIOS, IPMI, Redfish, and PCI express.
8+ years’ experience in firmware or BIOS/UEFI development.
In-depth knowledge of UEFI architecture and development (focused on the EDK2 development environment).
HP iLO ransomware?
HP seeks iLO firmware developer intern
“[…]Summer intern to work on the iLO team (Integrated Lights Out).
iLO firmware provides industry leading remote management in each HPE ProLiant server.
This position will be to work on enhancements in our functionality and tools.[…]”
HP including expected PCR0 values in firmware releases
PCR0 (TPM 1.2, TXT disabled) = 3864B052A7A5E8D0D68C6B525CE7C264042FFD9C (SHA1)
PCR0 (TPM 1.2, TXT enabled) = A53040199863DE972A57CDCCBA5A1D595B8D622F (SHA1)
PCR0 (TPM 2.0 SHA256, TXT disabled) = 8F6FD3E49706E7EFDAFD56FB55FB8E02FC9766BE482C07D80D8AB2081CF5B196 (SHA256)
PCR0 (TPM 2.0 SHA256, TXT enabled) = B0D9EC8871DABC7D931A6EB0783CDFB3DAA2422F8999301CC4954D1FD2879E77 (SHA256)
https://support.hp.com/soar-attachment/567/col59842-wk-199952-1-wk-199952-1_sp82736_releasedoc.html
HPE MSA firmware site created
Two suggestions: 1) use HTTPS not HTTP for web site. 2) Include a hash for the blobs.
Getting HPE MSA Storage firmware just got easier
HPEStorageGuy yesterday
Making things easier for customers is always a good idea. Kipp Glover from our HPE Storage Total Customer Experience & Quality team has been working to do that. Kipp wanted to make the process easy for HPE MSA Storage customers to get the latest firmware and related information like release notes and the firmware history for each of the last three generations of MSA models. Kipp and his team worked with our hpe.com people to create the website to make getting the latest MSA firmware easy. The website is hpe.com/storage/MSAFirmware. Kipp also created a short video that shows how to navigate the site so I wanted to share that with you.
http://h41111.www4.hpe.com/storage/msafirmware.html
iLo4_toolbox: Toolbox for HPE iLO4 analysis
Subverting your server through its BMC: the HPE iLO4 case
iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides every feature required by a system administrator to remotely manage a server without having to reach it physically. Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators. We’ve performed a deep dive security study of HP iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9 servers) and the results of this study were presented at the REcon conference held in Brussels (February 2 – 4, 2018, see [1]). iLO4 runs on a dedicated ARM processor embedded in the server, and is totally independent from the main processor. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network interface. On the software side, the operating system is the proprietary RTOS GreenHills Integrity [2].[…]
https://github.com/airbus-seclab/ilo4_toolbox
HP SureStart firmware protection
HP ships keylogger in Windows, update available
https://zwclose.github.io/HP-keylogger/
[…]The research were done by reading the code of SynTP.sys, I couldn’t verify if it’s correct or not. I tried to find HP laptop for rent and asked a few communities about that but got almost no replies. One guy even thought that I am a thief trying to rob someone. So, I messaged HP about the finding. They replied terrificly fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace. Get the list of affected models and fixed driver at HP website. The update also available via Windows update.[…]
https://zwclose.github.io/HP-keylogger/
HP Labs: Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the SMM
Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode
Ronny Chevalier, Maugan Villatel, David Plaquin, Guillaume Hiet
HP Labs
Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that links to an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to solve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor a specific target. We apply this approach to detect system management mode (SMM), a highly privileged x86 executable mode executing firmware code at runtime. We model the behavior of SMM using CPU registers (CR3 and SMBASE). We have two open-source firmware implementations: EDK II and coreboot. We evaluate the ability to detect and detect the effects of ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (ie, less than the 150 μs threshold defined by Intel).
HP seeks UEFI Firmware Engineer Intern
Responsibilities: Four-year university students who are working in a technical internship role at hp during their study or in summer breaks between university semesters.
Education and Experience Required: High School Degree 3rd Year of University completed–typically a technical degree specialization.
HPE iLO: multiple remote vulnerabilities (HPESBHF03769 rev.1)
Hewlett Packard Enterprise Support Center
HPESBHF03769 rev.1 – HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities
Document ID: hpesbhf03769en_us
Last Updated: 2017-08-24
Potential Security Impact: Remote: Authentication Bypass, Code Execution:
A potential security vulnerability has been identified in HPE Integrated Lights-out (iLO 4). The vulnerability could be exploited remotely to allow authentication bypass and execution of code. […] Hewlett Packard Enterprise would like to thank Fabien Perigaud of Airbus Defense and Space CyberSecurity for reporting this vulnerability.
https://www.hpe.com/us/en/servers/integrated-lights-out-ilo.html
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
“Limited details are available to describe this vulnerability or how this vulnerability could be exploited by an attacker. However, a successful exploit of this vulnerability could result in a complete system compromise.”
modzero Security: keylogger in HP audio driver
[EN] Keylogger in Hewlett-Packard Audio Driver
Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation. Here, we often find all sorts of dangerous and ill-conceived stuff. We want to present one of these casually identified cases now, as it’s quite an interesting one: We have discovered a keylogger in an audio driver package by Hewlett-Packard. A keylogger is a piece of software for which the case of dual-use can rarely be claimed. This means there are very few situations where you would describe a keylogger that records all keystrokes as ‘well-intended’. A keylogger records when a key is pressed, when it is released, and whether any shift or special keys have been pressed. It is also recorded if, for example, a password is entered even if it is not displayed on the screen.[…]There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful. If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user[…]
https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt
UEFI Plugfest slides uploaded
https://uefi.blogspot.com/2017/03/uefi-plugfest-2017-in-nanjing.html
Tim Lewis of Insyde has a blog post with an update for the UEFI plugfest. *Multiple* presentations on security!!
State of UEFI – Mark Doran (Intel)
Keynote: China Information Technology Ecosystem – Guangnan Ni (Chinese Academy of Engineering).
The Role of UEFI Technologies Play in ARM Platform Architecture – Dong Wei (ARM)
ARM Server’s Firmware Security – Zhixiong (Jonathan) Zhang, Cavium
SMM Protection in EDK II – Jiewen Yao (Intel)
Server RAS and UEFI CPER – Mao Lucia and Spike Yuan (Intel)
A More Secure and Better User Experience for OS-based Firmware Update – David Liu (Phoenix)
UEFI and IoT: Best Practices in Developing IoT Firmware Solutions – Hawk Chen (Byosoft)
Establishing and Protecting a Chain of Trust with UEFI – David Chen (Insyde)
Implementation of Hypervisor in UEFI Firmware – Kangkang Shen (Huawei)
Lessons Learned from Implementing a Wi-Fi and BT Stack – Tony Lo (AMI)
UEFI Development Anti-Patterns – Chris Stewart (HP)
Firmware Security 
You must be logged in to post a comment.