HPE iLO 4 Server Authentication Bypass Vulnerability

Proof-of-concept (PoC) code to exploit a vulnerability in Hewlett Packard Enterprise Integrated Lights-Out 4 (HPE iLO 4) servers was recently published online. CVE-2017-12542 is an authentication bypass vulnerability that allows a threat actor to access iLO 4 consoles remotely via an internet connection. Once the console is accessed, an attacker could extract clear text passwords, execute malicious code, and possibly replace the iLO 4 firmware. To bypass authentication, an attacker only needs to create a cURL request followed by 29 letter “A” characters. HPE released a firmware patch for the vulnerability in August last year for iLO 4 version 2.54; however, those running firmware version 2.53 and prior are still vulnerable. Since the release of the PoC code, there have been several research papers written on exploiting the vulnerability and a Metasploit module has been created, indicating the vulnerability is being, or will soon be, actively exploited. The NJCCIC recommends all administrators of HPE iLO 4 servers running firmware version 2.53 or earlier update to the newest firmware immediately.