This is a Python service relaying read and write queries from PCILeech to an HP iLO4 device flashed with a modified firmware.
Tag: iLO
HPE iLOv5 Firmware Updates, Local Bypass of Security Restrictions
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03894en_us
[…]Release Date: 2018-10-30[…]
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.[…]
HP iLO: a bit more on CVE-2017-12542
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://github.com/skelsec/CVE-2017-12542
HPE: iLO: Remote Unauthorized Modification of Information
Re: https://firmwaresecurity.com/2018/06/11/subverting-your-server-through-its-bmc-the-hpe-ilo4-case-presentation-toolbox/ and https://firmwaresecurity.com/2018/06/20/airbus-seclab-ilo4_toolbox-more-info-uploaded/
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2018-06-26
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03844en_us
Airbus-seclab: iLO4_toolbox: more info uploaded
Subverting your server through it’s BMC: the HPE iLo4 case (presentation + toolbox)
upcoming queue of BMC/iLO research…
3 different submissions to upcoming conferences. One abstract (for SSTIC’18) is below:
https://www.sstic.org/2018/presentation/subverting_your_server_through_its_bmc_the_hpe_ilo4_case/
Subverting your server through its BMC: the HPE iLO4 case
Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
Date : 13 juin 2018 à 11:30 — 30 min.
iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM micro-processor embedded in the server, totally independent from the main processor. We performed an initial deep dive security study of HP iLO4 and covered the following topics: firmware unpacking and memory layout, embedded OS internals, vulnerability discovery and exploitation as well as full compromise of the host server operating system through DMA. One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open, namely; are the iLO systems resilient against a long term compromise at firmware level. For this reason, this paper is focused on the update mechanism and how a motivated attacker can achieve long term persistence on the system; how a new/backdoored firmware can be crafted then installed, to offer an attacker a stealth and resilient backdoor in an environment which has been compromised.
HP iLO ransomware?
HP seeks iLO firmware developer intern
“[…]Summer intern to work on the iLO team (Integrated Lights Out).
iLO firmware provides industry leading remote management in each HPE ProLiant server.
This position will be to work on enhancements in our functionality and tools.[…]”
iLo4_toolbox: Toolbox for HPE iLO4 analysis
Subverting your server through its BMC: the HPE iLO4 case
iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides every feature required by a system administrator to remotely manage a server without having to reach it physically. Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators. We’ve performed a deep dive security study of HP iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9 servers) and the results of this study were presented at the REcon conference held in Brussels (February 2 – 4, 2018, see [1]). iLO4 runs on a dedicated ARM processor embedded in the server, and is totally independent from the main processor. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network interface. On the software side, the operating system is the proprietary RTOS GreenHills Integrity [2].[…]
https://github.com/airbus-seclab/ilo4_toolbox
HPE iLO: multiple remote vulnerabilities (HPESBHF03769 rev.1)
Hewlett Packard Enterprise Support Center
HPESBHF03769 rev.1 – HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities
Document ID: hpesbhf03769en_us
Last Updated: 2017-08-24
Potential Security Impact: Remote: Authentication Bypass, Code Execution:
A potential security vulnerability has been identified in HPE Integrated Lights-out (iLO 4). The vulnerability could be exploited remotely to allow authentication bypass and execution of code. […] Hewlett Packard Enterprise would like to thank Fabien Perigaud of Airbus Defense and Space CyberSecurity for reporting this vulnerability.
https://www.hpe.com/us/en/servers/integrated-lights-out-ilo.html
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
“Limited details are available to describe this vulnerability or how this vulnerability could be exploited by an attacker. However, a successful exploit of this vulnerability could result in a complete system compromise.”
OpenStack iLO Secure Boot
I just noticed that the OpenStack project has an alternative to UEFI Secure Boot, for iLO drivers:
Some of the Ironic deploy drivers support UEFI boot. It would be useful to security sensitive users to deploy more securely using Secure Boot feature of the UEFI. This spec proposes alternatives to support Secure Boot in baremetal provisioning for iLO drivers. […]
https://specs.openstack.org/openstack/ironic-specs/specs/kilo-implemented/uefi-secure-boot.html
https://blueprints.launchpad.net/ironic/+spec/uefi-secure-boot
Firmware Security 