Skip to main content

HPE iLO4 Authentication Bypass Vulnerability

Details of an authentication bypass in Hewlett Packard Enterprise's (HPE) Integrated Lights Out (iLO) out-of-band management devices have been disclosed by a group of researchers.
Threat ID:
CC-2530
Category:
Exploit
Threat Severity:
Low
Threat Vector:
Published:
10 July 2018 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Details of an authentication bypass in Hewlett Packard Enterprise's (HPE) Integrated Lights Out (iLO) out-of-band management devices have been disclosed by a group of researchers.

Threat details

iLO devices use separate network connections and proprietary software to provide remote administration tools to system administrators. Users can install applications, reset devices and access consoles through a web portal.

The researchers discovered that by inputting the following string during remote access they could bypass authentication on the targeted iLO device

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

This vulnerability only affects iLO generation 4.

For further information:

Remediation steps

Type Step
  • HPE have confirmed this vulnerability has been addressed in iLO 4 version 2.54. Users should update their affected systems immediately.
  • Organisations that do not use iLO should disable it on their networks

CVE Vulnerabilities

Status

CVE-2017-12542

Last edited: 17 February 2020 12:44 pm