- #Latest ilo 2 firmware install#
- #Latest ilo 2 firmware update#
- #Latest ilo 2 firmware upgrade#
- #Latest ilo 2 firmware software#
#Latest ilo 2 firmware install#
The attacker could just as easily steal data, install additional payloads, control the server in any way, or disable it entirely. "iLOBleed has demonstrated the ability to use the BMC to wipe the disks of a server. "Attackers can abuse these capabilities in a variety of ways," the Eclypsium researchers said.
On Gen10 it is possible to prevent downgrade attacks by enabling a firmware setting, but this is not turned on by default and not possible on older generations. If the server's iLO firmware has no known vulnerabilities, it is possible to downgrade the firmware to a vulnerable version. It's also worth noting that infecting the iLO firmware is possible if an attacker gains root (administrator) privileges to the host operating system since this allows flashing the firmware.
#Latest ilo 2 firmware update#
If it doesn't, it means that the update was prevented, even if the firmware reports the latest version. For example, the login screen in the latest available version should look slightly different. However, there are ways to tell that the firmware was not upgraded.
#Latest ilo 2 firmware upgrade#
Once installed, the rootkit also blocks attempts to upgrade the firmware and reports back that the newer version was installed successfully to trick administrators. It is believed to exploit known vulnerabilities such as CVE-2018-7078 and CVE-2018-7113 to inject new malicious modules into the iLO firmware that add disk wiping functionality.
The iLOBleed implant is suspected to be the creation of an advanced persistent threat (APT) group and has been used since at least 2020.
#Latest ilo 2 firmware software#
Admins can use iLO to turn the server on and off, tweak various hardware and firmware settings, access the system console, reinstall the main operating system by attaching a CD/DVD image remotely, monitoring hardware and software sensors and even deploy BIOS/UEFI updates. Like all BMCs, HPE iLO is essentially a small computer designed to control a larger computer - the server itself.Īdministrators can access iLO through a web-based administration panel that's served through the BMC's dedicated network port, or via tools that talk with the BMC over the standardized Intelligent Platform Management Interface (IPMI) protocol. Its firmware includes a dedicated operating system that runs independently of the server's main operating system. It's implemented as an ARM chip that has its own dedicated network controller, RAM and flash storage. HPE's iLO technology has existed in HPE servers for over 15 years. Ultimately, this creates a challenge for enterprises in which there are many vulnerable systems, very high impacts in the case of an attack, and adversaries actively exploiting the devices in the wild." The iLOBleed implant Supply chain issues can still exist even after deployment due to vulnerable updates or if adversaries are able to compromise a vendor’s update process. "Vulnerabilities and misconfigurations can be introduced early in the supply chain before an organization ever takes ownership of a server. "BMC vulnerabilities are also incredibly common and often overlooked when it comes to updates," the Eclypsium researchers said in a new blog post following the iLOBleed reports.
It's safe to say that across all server vendors, the number of BMC interfaces that can be attacked from the internet is in the tens or hundreds of thousands. When other vulnerabilities were found in the BMC implementation of Supermicro servers in 2019, more than 47,000 publicly exposed Supermicro BMCs from over 90 different countries were exposed. One recent example is iLOBleed, a malicious BMC implant found in the wild by an Iranian cybersecurity company that targets Hewlett Packard Enterprise (HPE) Gen8 and Gen9 servers, but this is not the only such attack found over the years.Īccording to an analysis by firmware security firm Eclypsium, 7,799 HPE iLO (HPE's Integrated Lights-Out) server BMCs are exposed to the internet and most do not appear to be running the latest version of the firmware. Over the years, security researchers have found and demonstrated vulnerabilities in the BMC implementations of different server manufacturers and attackers have taken advantage of some of them. These are known as baseboard management controllers (BMCs) and if they're not secured properly, they can open the door to highly persistent and hard-to-detect rootkits. All server manufacturers provide this functionality in firmware through a set of chips that run independent of the rest of the server and OS. Having the ability to remotely manage and monitor servers even when their main operating system becomes unresponsive is vital to enterprise IT administrators.