Synacktiv: Using your BMC as a DMA device: plugging PCILeech to HPE iLO 4

This is a Python service relaying read and write queries from PCILeech to an HP iLO4 device flashed with a modified firmware.

https://github.com/Synacktiv/pcileech_hpilo4_service

https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html

HPE iLOv5 Firmware Updates, Local Bypass of Security Restrictions

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03894en_us

[…]Release Date: 2018-10-30[…]
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.[…]

https://2018.zeronights.ru/

HP iLO: a bit more on CVE-2017-12542

https://milo2012.wordpress.com/2018/06/30/some-notes-on-hpe-ilo4-authentication-bypass-and-rce-cve-2017-12542/

https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb

https://tools.cisco.com/security/center/viewAlert.x?alertId=54930

https://github.com/skelsec/CVE-2017-12542

https://github.com/bao7uo/HPE-iLO-CVE-2017-12542

https://nvd.nist.gov/vuln/detail/CVE-2017-12542

HPE: iLO: Remote Unauthorized Modification of Information

Re: https://firmwaresecurity.com/2018/06/11/subverting-your-server-through-its-bmc-the-hpe-ilo4-case-presentation-toolbox/ and https://firmwaresecurity.com/2018/06/20/airbus-seclab-ilo4_toolbox-more-info-uploaded/

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2018-06-26

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03844en_us

Airbus-seclab: iLO4_toolbox: more info uploaded

Re: https://firmwaresecurity.com/2018/06/11/subverting-your-server-through-its-bmc-the-hpe-ilo4-case-presentation-toolbox/

https://www.synacktiv.com/ressources/sstic_2018_backdooring_ilo4_slides_en.pdf

https://www.sstic.org/media/SSTIC2018/SSTIC-actes/subverting_your_server_through_its_bmc_the_hpe_ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf

https://github.com/airbus-seclab/ilo4_toolbox

Subverting your server through it’s BMC: the HPE iLo4 case (presentation + toolbox)

https://github.com/airbus-seclab/airbus-seclab.github.io/blob/master/ilo/RECONBRX2018-Slides-Subverting_your_server_through_its_BMC_the_HPE_iLO4_case-perigaud-gazet-czarny.pdf

https://airbus-seclab.github.io/

https://github.com/airbus-seclab/ilo4_toolbox

upcoming queue of BMC/iLO research…

3 different submissions to upcoming conferences. One abstract (for SSTIC’18) is below:

https://www.sstic.org/2018/presentation/subverting_your_server_through_its_bmc_the_hpe_ilo4_case/

Subverting your server through its BMC: the HPE iLO4 case
Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
Date : 13 juin 2018 à 11:30 — 30 min.

iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM micro-processor embedded in the server, totally independent from the main processor. We performed an initial deep dive security study of HP iLO4 and covered the following topics: firmware unpacking and memory layout, embedded OS internals, vulnerability discovery and exploitation as well as full compromise of the host server operating system through DMA. One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open, namely; are the iLO systems resilient against a long term compromise at firmware level. For this reason, this paper is focused on the update mechanism and how a motivated attacker can achieve long term persistence on the system; how a new/backdoored firmware can be crafted then installed, to offer an attacker a stealth and resilient backdoor in an environment which has been compromised.

HP iLO ransomware?

https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/

iLo4_toolbox: Toolbox for HPE iLO4 analysis

Subverting your server through its BMC: the HPE iLO4 case
iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides every feature required by a system administrator to remotely manage a server without having to reach it physically. Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators. We’ve performed a deep dive security study of HP iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9 servers) and the results of this study were presented at the REcon conference held in Brussels (February 2 – 4, 2018, see [1]). iLO4 runs on a dedicated ARM processor embedded in the server, and is totally independent from the main processor. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network interface. On the software side, the operating system is the proprietary RTOS GreenHills Integrity [2].[…]

https://github.com/airbus-seclab/ilo4_toolbox

 

HPE iLO: multiple remote vulnerabilities (HPESBHF03769 rev.1)

 

Hewlett Packard Enterprise Support Center
HPESBHF03769 rev.1 – HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities
Document ID: hpesbhf03769en_us
Last Updated: 2017-08-24
Potential Security Impact: Remote: Authentication Bypass, Code Execution:
A potential security vulnerability has been identified in HPE Integrated Lights-out (iLO 4). The vulnerability could be exploited remotely to allow authentication bypass and execution of code. […] Hewlett Packard Enterprise would like to thank Fabien Perigaud of Airbus Defense and Space CyberSecurity for reporting this vulnerability.

https://www.hpe.com/us/en/servers/integrated-lights-out-ilo.html

http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

https://tools.cisco.com/security/center/viewAlert.x?alertId=54930

“Limited details are available to describe this vulnerability or how this vulnerability could be exploited by an attacker. However, a successful exploit of this vulnerability could result in a complete system compromise.”

OpenStack iLO Secure Boot

I just noticed that the OpenStack project has an alternative to UEFI Secure Boot, for iLO drivers:

Some of the Ironic deploy drivers support UEFI boot. It would be useful to security sensitive users to deploy more securely using Secure Boot feature of the UEFI. This spec proposes alternatives to support Secure Boot in baremetal provisioning for iLO drivers. […]

https://specs.openstack.org/openstack/ironic-specs/specs/kilo-implemented/uefi-secure-boot.html

https://blueprints.launchpad.net/ironic/+spec/uefi-secure-boot