Skip to main content

Hewlett-Packard Enterprises Integrated Lights-Out Vulnerability

A vulnerability has been discovered in Hewlett-Packard Enterprises Integrated Lights-Out 3 (HPE iLO3) that allows a remote attacker to render the system unavailable.
Threat ID:
CC-2111
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Vulnerability
Published:
8 March 2018 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A vulnerability has been discovered in Hewlett-Packard Enterprises Integrated Lights-Out 3 (HPE iLO3) that allows a remote attacker to render the system unavailable.

Threat details

HPE iLO is an embedded server management technology that enables administrators to remotely perform actions such as resetting, powering up and accessing the server's integrated management log.

Certain HTTP requests trigger a Denial of Service in the remote management functionality lasting for 10 minutes. Open SSH sessions become unresponsive and new SSH sessions cannot be established. The login page for the web portal also fails to load during this period.

The device continues to respond to ping requests, meaning that the fault may not be detected by external monitoring.

Eventually the device automatically restarts, becoming temporarily unavailable to ping requests during the process. The remote management functions become fully available again once the restart has completed, until further such HTTP requests are received.

Remediation steps

Type Step
Firmware version 1.89 addresses the vulnerability and should be installed as soon as practicable.

Last edited: 17 February 2020 12:44 pm