HP iLO4 Vulnerable to Simple Authentication Bypass

Hello All. HP iLO devices are widely used by organizations looking to manage their servers in a lights-out scenario. iLO cards can be embedded in regular computers. They have a separate Ethernet network connection and run a proprietary embedded server management technology that provides out-of-band management features.

In 2017, security researchers from Synactiv (https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html) discovered a vulnerability, which could be exploited remotely, via an Internet connection, putting all iLO servers exposed online at risk.

The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles.This access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware.

Besides being a remotely exploitable flaw, this vulnerability is incredibly simple to exploitation, requiring a cURL request and 29 letter “A” characters, as below:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Because of its simplicity and remote exploitation factor, the vulnerability —tracked as CVE-2017-12542— has received a severity score of 9.8 out of 10. Rapid7 published a Metasploit module for it (https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account) and it’s also downloadable on Exploit-DB (https://www.exploit-db.com/exploits/44005/)

HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54. So what is the issue? Well researchers are presenting their PoCs at conferences and publishing all kinds of great info on the subject. Unless you have an organization who is diligent at patching servers, beyond the operating system, there are most likely a tonne of servers out there that are affected. Many administrators I have spoken to are not overly worried about their internal servers. Think of the attacker who wants to pivot on a network, they now have a valid method of doing this.

Of course, where is the first place my brain wandered to…..Shodan.

https://www.shodan.io/search?query=HP-iLO-4 – nice initial 3,600 hits.

As you can see, not hard to find pre-2.5.3 versions ripe for the taking.

So all I can say boys and girls, is have a look at your HP servers, check your iLO version and ensure you patch ASAP.