Home Security HP patches for iLO may be tough to locate: researcher

HP patches for iLO may be tough to locate: researcher

An European researcher says that even though HP has released patches for a vulnerability in the server management solution that is used to gain remote access to baseboard management controllers — which have been embedded in most HP servers for the last decade — users who want to patch may have problems locating the fixes on HP's website.

Fabien Périgaud of Synacktiv, along with Alexandre Gazet of Airbus and independent researcher Joffrey Czarny, discovered a critical vulnerability in the BMS, the details of which they released in a paper, presented at the SSTIC Symposium in Rennes in mid-June.

Périgaud told iTWire in response to queries that HP had released patches along with a security bulletin for the flaws a year ago.

"However, we think that companies do not often have a patch management process for their BMC, and deploying patches is not as simple as it is for classical software," he said.

"Regarding the patches availability, it seems that HPE does not require a specific subscription to download them. The main difficulty might be to find the correct links on HP website :)."

stealing data

The exploit is carried out through HPE Integrated Lights-out (iLO), the server management solution which has the features that a sysadmin needs to remotely manage a server. iLO4, which is used on servers belonging to the HP ProLiant Gen8 and ProLiant Gen9 lines, runs on a dedicated ARM processor that is totally independent from the main processor.

Périgaud, Gazet and Czarny said they had done a deep dive security study of HP iLO4 and looked at:

  • Firmware unpacking and memory layout;
  • Embedded OS internals;
  • Vulnerability discovery and exploitation; and
  • Full compromise of the host server operating system through DMA.

The researchers said they had found the vulnerability in question during this research; it existed in the web server component and permitted an authentication bypass and also remote code execution.

Given that the question whether iLO systems could withstand a long-term compromise at the firmware level was unanswered, the trio took a hard look at the updating mechanism and how a motivated attacker could gain access to, and remain in, the system over an extended period.

The BMC is a standalone system and has the following components:

  • Dedicated ARM processor: GLP/Sabine architecture
  • Firmware stored on a NAND flash chip
  • Dedicated RAM chip
  • Dedicated network interface
  • Full operating system and applicative image, running as soon as the server is powered.

iLO is connected directly to the PCI-Express bus.

The three researchers took about five man-months to study the file format analysis for a firmware update, extract its components, carry out kernel integrity analysis, understand the memory layout of the userland modules - the equivalent of processes - and analyse the Web administration interface.

They found a means of bypassing authentication and remote code execution which was fixed in iLO 2.53 and 2.54 and were able to implement a full server compromise by running arbitrary code in the context of the Web server.

Their objective was to achieve permanent compromise, survive the re-installation of the host and remain below the radar; hence they came up with the idea of backdooring the iLO firmware.

They found that though firmware updates were signed and its integrity checked during the update process and at boot time, there was no hardware root of trust.

The trio found a service that they could invoke through the injection of shellcode into the Web server and directly overwrite the firmware in flash memory. This mean they could bypass the firmware;s dynamic integrity check.

The full process they outlined was: full extraction of the firmware update; patching the bootloader; patching the kernel; addition of a backdoor; rebuilding the firmware update
and flashing the firmware.

Their recent talk is here, a detailed paper is here and HP's advisory is here. A toolbox for HPE iLO4 analysis can be downloaded here.

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

10 SIMPLE TIPS TO PROTECT YOUR ORGANISATION FROM RANSOMWARE

Ransomware attacks on businesses and institutions are now the most common type of malware breach, accounting for 39% of all IT security incidents, and they are still growing.

Criminal ransomware revenues are projected to reach $11.5B by 2019.

With a few simple policies and procedures, plus some cutting-edge endpoint countermeasures, you can effectively protect your business from the ransomware menace.

DOWNLOAD NOW!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications