Hewlett Packard Enterprise has issued a security patch to address a vulnerability (CVE-2017-8987) in its remote management hardware Integrated Lights-Out 3 that equip the family of HP ProLiant servers.
The Hewlett-Packard iLO is composed of a physical card with a separate network connection that is used for the remote management of the device.
The vulnerability could be exploited by a remote attacker to power a denial of service attack that could cause severe problems to datacenters under some conditions.
The vulnerability in the HP remote management hardware Integrated Lights-Out 3 was discovered by the researchers at Rapid7 researchers in September, the issue is rated “high severity” and it has received a CVSS base score of 8.6.
“This post describes CVE-2017-8987, an unauthenticated remote Denial of Service vulnerability in HPE iLO3 firmware version 1.88. This vulnerability can be exploited by several HTTP methods; once triggered, it lasts for approximately 10 minutes until the watchdog service performs a restart of the iLO3 device. CVE-2017-8987 is categorized as CWE-400 (Resource Exhaustion) and has a CVSSv3 base score of 8.6.” states Rapid7.
Once an attacker has compromised a network he can lock out an admin to restore the operations causing severe problems to a data center.
“Several HTTP request methods cause iLO3 devices running firmware v1.88 to stop responding in several ways for 10 minutes:
” continues Rapid 7.
HPE publicly disclosed the vulnerability on Feb. 22.
“A security vulnerability in HPE Integrated Lights-Out 3 (iLO 3) allows remote Denial of Service (DoS).” reads the security advisory published by HPE.
“HPE has provided the following instructions to resolve the vulnerability in HPE Integrated Lights-Out 3 (iLO 3) version 1.88: Please upgrade to HPE Integrated Lights-Out 3 (iLO 3) 1.89 which is available on HPE Support Center:
HPE said that affected version is v1.88 firmware for HPE Integrated Lights-Out 3 (iLO3), newer versions of the firmware (1.8, 1.82, 1.85, and 1.87) along with firmware for iLO4 (v2.55) are not impacted.
According to Rapid7 iLO5 devices were not tested, the experts also observed that requests calling the following four methods, will also trigger the Denial of Service:
curl -X OPTIONS hp-ilo-3.testing.your-org.com curl -X PROPFIND hp-ilo-3.testing.your-org.com curl -X PUT hp-ilo-3.testing.your-org.com curl -X TRACE hp-ilo-3.testing.your-org.com
Below the disclosure timeline:
(Security Affairs – HP Remote Management, hacking)