![]() A toolbox for HPE iLO4 analysis can be downloaded here. Their recent talk is here, a detailed paper is here and HP's advisory is here. The full process they outlined was: full extraction of the firmware update patching the bootloader patching the kernel addition of a backdoor rebuilding the firmware update ![]() This mean they could bypass the firmware s dynamic integrity check. The trio found a service that they could invoke through the injection of shellcode into the Web server and directly overwrite the firmware in flash memory. They found that though firmware updates were signed and its integrity checked during the update process and at boot time, there was no hardware root of trust. Their objective was to achieve permanent compromise, survive the re-installation of the host and remain below the radar hence they came up with the idea of backdooring the iLO firmware. The flaw affects HP iLO 4 servers running firmware version prior to 2.53. They found a means of bypassing authentication and remote code execution which was fixed in iLO 2.53 and 2.54 and were able to implement a full server compromise by running arbitrary code in the context of the Web server. The good news is that HP addressed the flaw in August 2017 with the release of the iLO 4 firmware version 2.54, for this reason, system administrators need to upgrade their servers. The three researchers took about five man-months to study the file format analysis for a firmware update, extract its components, carry out kernel integrity analysis, understand the memory layout of the userland modules - the equivalent of processes - and analyse the Web administration interface. ILO is connected directly to the PCI-Express bus. Full operating system and applicative image, running as soon as the server is powered.Dedicated ARM processor: GLP/Sabine architecture.The BMC is a standalone system and has the following components: Given that the question whether iLO systems could withstand a long-term compromise at the firmware level was unanswered, the trio took a hard look at the updating mechanism and how a motivated attacker could gain access to, and remain in, the system over an extended period. The researchers said they had found the vulnerability in question during this research it existed in the web server component and permitted an authentication bypass and also remote code execution. Full compromise of the host server operating system through DMA.Vulnerability discovery and exploitation and.PĂ©rigaud, Gazet and Czarny said they had done a deep dive security study of HP iLO4 and looked at: iLO4, which is used on servers belonging to the HP ProLiant Gen8 and ProLiant Gen9 lines, runs on a dedicated ARM processor that is totally independent from the main processor. The exploit is carried out through HPE Integrated Lights-out (iLO), the server management solution which has the features that a sysadmin needs to remotely manage a server. The main difficulty might be to find the correct links on HP website :)." "Regarding the patches availability, it seems that HPE does not require a specific subscription to download them.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |