No one thought it would be that easy in 2018 to hack a Howard Packard Enterprise (HPE) server but turns out it’s as simple as making a cURL request and then typing the letter “A” in capital, 29 time. That easy!
HP iLO devices are extremely popular among small and large enterprises across multiple industries. iLO cards can also be embedded into your regular computer so it’s incredibly dangerous that such a known and used technology developed by one of the biggest vendors in the world, can be hacked so easily. The vulnerability which affect these servers was originally found last year by a small group of three security researchers, who ended up detailing their findings in a research paper. According to the paper, the vulnerability can not only be executed onsite but it can also be done remotely.
This is what the hack looks like:
curl -H “Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
It doesn’t seem like much but according to the research paper findings, using this exploit someone could find cleartext user credentials, change the iLO firmware, or execute malicious code. This vulnerability detailed as CVE-2017-12542, rated 9.8 out of 10 making this extremely critical.
This exploit was originaly discovered in early last year in which it was announced to have been patched by HPE. Admins can find the original HPE security bulletin detailing the patched vulnerability here. According to thsi bullentin, only HPE iLO 4 servers that were running fimware version 2.53 or earlier were affected.
“If they are not actively used, completely disabling the feature is a good practice,” the paper noted. “Otherwise, administrators should take great care to keep their systems up to date whenever possible. Network-level isolation should be put in place to ensure that iLO systems can only be accessed from dedicated administration VLANs.”
According to the paper you cannot just wipe and reinstal the host OS, that isn’t enough. At that point, it’s stated that, the hardware is now considered untrusted.
Big Take away for IT leaders:
- If you are running HPE iLO please get your systems checked! if you don’t know any one that can do that please contact one of our team members for assistance.