Home Security HP patches for iLO may be tough to locate: researcher

An European researcher says that even though HP has released patches for a vulnerability in the server management solution that is used to gain remote access to baseboard management controllers — which have been embedded in most HP servers for the last decade — users who want to patch may have problems locating the fixes on HP's website.

Fabien Périgaud of Synacktiv, along with Alexandre Gazet of Airbus and independent researcher Joffrey Czarny, discovered a critical vulnerability in the BMS, the details of which they released in a paper, presented at the SSTIC Symposium in Rennes in mid-June.

Périgaud told iTWire in response to queries that HP had released patches along with a security bulletin for the flaws a year ago.

"However, we think that companies do not often have a patch management process for their BMC, and deploying patches is not as simple as it is for classical software," he said.

"Regarding the patches availability, it seems that HPE does not require a specific subscription to download them. The main difficulty might be to find the correct links on HP website :)."

stealing data

The exploit is carried out through HPE Integrated Lights-out (iLO), the server management solution which has the features that a sysadmin needs to remotely manage a server. iLO4, which is used on servers belonging to the HP ProLiant Gen8 and ProLiant Gen9 lines, runs on a dedicated ARM processor that is totally independent from the main processor.

Périgaud, Gazet and Czarny said they had done a deep dive security study of HP iLO4 and looked at:

  • Firmware unpacking and memory layout;
  • Embedded OS internals;
  • Vulnerability discovery and exploitation; and
  • Full compromise of the host server operating system through DMA.

The researchers said they had found the vulnerability in question during this research; it existed in the web server component and permitted an authentication bypass and also remote code execution.

Given that the question whether iLO systems could withstand a long-term compromise at the firmware level was unanswered, the trio took a hard look at the updating mechanism and how a motivated attacker could gain access to, and remain in, the system over an extended period.

The BMC is a standalone system and has the following components:

  • Dedicated ARM processor: GLP/Sabine architecture
  • Firmware stored on a NAND flash chip
  • Dedicated RAM chip
  • Dedicated network interface
  • Full operating system and applicative image, running as soon as the server is powered.

iLO is connected directly to the PCI-Express bus.

The three researchers took about five man-months to study the file format analysis for a firmware update, extract its components, carry out kernel integrity analysis, understand the memory layout of the userland modules — the equivalent of processes — and analyse the Web administration interface.

They found a means of bypassing authentication and remote code execution which was fixed in iLO 2.53 and 2.54 and were able to implement a full server compromise by running arbitrary code in the context of the Web server.

Their objective was to achieve permanent compromise, survive the re-installation of the host and remain below the radar; hence they came up with the idea of backdooring the iLO firmware.

They found that though firmware updates were signed and its integrity checked during the update process and at boot time, there was no hardware root of trust.

The trio found a service that they could invoke through the injection of shellcode into the Web server and directly overwrite the firmware in flash memory. This mean they could bypass the firmware;s dynamic integrity check.

The full process they outlined was: full extraction of the firmware update; patching the bootloader; patching the kernel; addition of a backdoor; rebuilding the firmware update
and flashing the firmware.

Their recent talk is here, a detailed paper is here and HP's advisory is here. A toolbox for HPE iLO4 analysis can be downloaded here.

47 REASONS TO ATTEND YOW! 2018

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December

REGISTER NOW!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect