Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Bug Last Year Allowed Bypassing Authentication On HPE ILO4 Servers With 29 'A' Characters (bleepingcomputer.com)

Posted by EditorDavid on from the keyboard-shortcuts dept.

Public exploit code has been published for a severe vulnerability which last year affected Hewlett Packard Integrated Lights-Out 4 (HP iLO 4), a tool for remotely managing the company's servers.

HPE "silently released" patches last August, an anonymous reader reports, adding "details only emerged this spring after researchers started presenting their work at security conferences." The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware. But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Because of its simplicity and remote exploitation factor, the vulnerability — tracked as CVE-2017-12542 — received a severity score of 9.8 out of 10.

59 comments

  1. Cleartext passwords by 110010001000 · · Score: 1

    How can you extract cleartext passwords? Unless...finish this sentence...

    1. Re:Cleartext passwords by sjames · · Score: 4, Informative

      They used a shellcode exploit to return the contents of a file on the ILO processor that has the passwords in cleartext! They didn't publish that as far as I can see, but there is a published python program to add a new user with admin privileges and a password of your choice.

      Bad HP! Go stand in the corner.

      Is it just me or have HP servers been a bit flaky for the last 5 years or so?

    2. Re:Cleartext passwords by Anonymous Coward · · Score: 0

      The real question is who has their management consoles internet facing?

    3. Re: Cleartext passwords by Anonymous Coward · · Score: 0

      Most?

    4. Re: Cleartext passwords by Anonymous Coward · · Score: 0

      People who couldnâ(TM)t be saved even if this exploit didnâ(TM)t exist.

    5. Re: Cleartext passwords by Joe_Dragon · · Score: 1

      must be nice to have that meany IPV4 address.

    6. Re:Cleartext passwords by Junta · · Score: 4, Informative

      The password is used directly as a shared secret for HMAC in IPMI. Therefore to support the ipmi protocol, the server must be able to know the plaintext of the password to a) prove to the client that they know the secret and b) to validate the HMAC sent by the client.

      Another potentially tricky one is SNMP. It's a shared secret, but at least you can localize the key. Of course it is localized to an snmp engine id, so while you may not directly have the cleartext password, you can spoof a matching snmp engine id to use the localized key as if you knew the password, at least to impersonate an snmp agent.

      Even on the TLS side of things, in practice things are not rosy because the vast majority of this class of devices have a self-signed cert, with all automation disabling cert validation and all users blindly clicked 'continue' at the warnings (there's no harsher message for "we have a conflicting stored cert" than "this is a self signed cert we haven't seen before")

      --
      XML is like violence. If it doesn't solve the problem, use more.
    7. Re:Cleartext passwords by 110010001000 · · Score: 0

      Wow. Welcome to 1980.

    8. Re: Cleartext passwords by Junta · · Score: 1

      No matter your vendor, this is a dumb idea. Any 'firmware' or "appliance" should not be easily/directly on the internet.

      First you have the problem that even 'reputable' companies lag far far behind the likes of Microsoft, RedHat, and such in changes. Even if they have the will and the resources, the security researchers go to other companies first and put them under embargo.

      Second, no one keeps their firmware up to date, even if there exists firmware that does have all the fixes. The really fun part, companies that *do* routinely upgrade firmware get bitten when the vendor breaks them, and does so without a good rollback facility (after all, "downgrades" are a security risk, so a key change with a firmware update that *also* happens to be bad for your configuration, well sucks to be you).

      --
      XML is like violence. If it doesn't solve the problem, use more.
    9. Re:Cleartext passwords by Anonymous Coward · · Score: 0

      probably outsourced software put into outsourced hardware by the lowest bidders in china and unaudited by hp themselves (not that they could actually guarantee that 100% of the code in hardware made in china is actually hp and not tainted by bad actors).

    10. Re:Cleartext passwords by Junta · · Score: 1

      Interestingly enough, IPMI's current auth design was done in 2004. Somehow despite being at least two years after SNMP proved someone was thinking about how to derive a shared secret without using it directly.

      Somehow despite SRP being a well known thing that would neatly slot into IPMI, no one has bothered to amend the IPMI spec to remove the need for the server to know the password, and also to amend the poor decision for the server to send HMAC first.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    11. Re:Cleartext passwords by Anonymous Coward · · Score: 0

      This is not a vulnerability. Just an NSA password to get into your servers.

    12. Re: Cleartext passwords by Anonymous Coward · · Score: 0

      I'd have that shit behind a VPN at the minimum.

    13. Re:Cleartext passwords by sjames · · Score: 2

      Agreed, that's a very bad idea, but not a prerequisite for the flaw to be a problem. It might also be a non-routed address but another machine in the same LAN segment gets compromised and used as a jumping off point, for example.

    14. Re: Cleartext passwords by hjf · · Score: 2

      the other day I bought a IBM M1015 SAS RAID card. I flashed it to be a LSI9211 (no RAID, just SAS). It wouldn't work unless I flashed a specific firmware version with a specific option rom BIOS version.
      "Brand name" BIOS and firmware are horribly buggy compared to "just works" regular PC BIOS.

    15. Re: Cleartext passwords by scottragen · · Score: 1

      Second, no one keeps their firmware up to date, even if there exists firmware that does have all the fixes. The really fun part, companies that *do* routinely upgrade firmware get bitten when the vendor breaks them, and does so without a good rollback facility (after all, "downgrades" are a security risk, so a key change with a firmware update that *also* happens to be bad for your configuration, well sucks to be you).

      Good example, I worked for a company that upgraded their HP branded Xenserver servers ILO firmware. When the servers rebooted it'd cause a kernel panic, nothing worked due to a bug in ILO or kernel module. Once we disabled the kernel module it booted again.

    16. Re: Cleartext passwords by Anonymous Coward · · Score: 0

      There's been a lot of speculation about who's been shitting behind the VPN. Your data centre access has been revoked.

    17. Re: Cleartext passwords by Anonymous Coward · · Score: 0

      Wouldn't it be NSAAAAAAAAAAAAAAAAAAAAAAAAAAAAA in that case.

      Stupid filter won't allow that many caps...

    18. Re:Cleartext passwords by Anonymous Coward · · Score: 0

      Nope - not just you. There hardware has been going downhill for awhile along with their support. Used to love their hardware and fast turnaround on support requests, but Dell seems to have caught and surpassed them in both categories (at least in my experience).

    19. Re: Cleartext passwords by Anonymous Coward · · Score: 0

      Or have a competent network guy set up a V-LAN that only administrator workstations and work over. Our paranoid topology and firewall people did that and we had no issues managing our ILO and backup interfaces as the V-LAN was firewalled off from the rest of the Planet.

    20. Re: Cleartext passwords by Anonymous Coward · · Score: 0

      you must not have hear of NAT.. check it out, its really good.

  2. How can this... by Anonymous Coward · · Score: 0

    ...not be on purpose

  3. This is what happens by dgatwood · · Score: 4, Funny

    ... when your network infrastructure was certified secure by the Fonz.

    Aaaaaaaaaaaaaaaaaaaay.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

    1. Re:This is what happens by Anonymous Coward · · Score: 0

      Its ALMOST like somebody made a deliberate backdoor

    2. Re: This is what happens by Anonymous Coward · · Score: 0

      Is it safe to say, dell jumped the shark? ::ducks::

    3. Re:This is what happens by Julz · · Score: 1

      Of course this has been fixed in [[Redfish]https://sourceforge.net/p/redfish-lab/wiki/Getting-started-with-the-iLO5-Redfish-API/] right?

      "redfish-lab
      Get started with the Redfish RESTful API from the DMTF
      Brought to you by: fdonze"

      Remove the "d" and you get "fonze". How's that for coincidence ;)

      --
      When shit hits the fan get some of these https://youtu.be/pY-GncsZ-UE
    4. Re: This is what happens by Anonymous Coward · · Score: 0

      Last time I looked, Dell does not make HP Servers with ILO.

      Dumbass.

  4. Programmers think about making things work right by raymorris · · Score: 4, Insightful

    You may have hears the phrase "garbage in, garbage out".
    That's how programmers used to think. The design and test code try to make it work right, when the user uses it right, of course. If the user mashes keys at random, random things might happen. That used to be an okay way of thinking.

    The internet has changed that. Now the user (connecting over the internet) WILL mash keys at random. Well, their script will send random bytes. It's no longer okay for software to respond in random ways when it receives random input. Any software accessible via the network MUST be designed thinking about how things can go wrong, not just about how it should work correctly.

    Many programmers, especially those who learned writing desktop applications, still think in terms of the program doing the right thing when it receives sane input. Insane input isn't handled securely. The programmers who wrote the ilo software made this mistake.

    Specifically, the input is up to 16 characters long, so they failed to handle the case of very long input. Network. Software should be tested with these inputs, at least:

    Empty input
    Zero
    The null character (ASCII 0)
    Very long input

  5. We seek the Grail by Anonymous Coward · · Score: 0

    He who is valiant and pure of spirit may find the Holy Grail in the Castle of ...

  6. What would be a 10? by Drakster · · Score: 1

    received a severity score of 9.8 out of 10

    What would be a ten? No authentication at all?

    1. Re:What would be a 10? by hcs_$reboot · · Score: 1

      Sony infrastructure?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:What would be a 10? by Anonymous Coward · · Score: 0

      What would be a ten? No authentication at all?

      From the legend linked on the page it looks like a 10 would be if the Scope went from Unchanged to Changed. So I guess since it isn't a sandbox escape or doesn't give you higher privileges it's not a 10.

    3. Re:What would be a 10? by king+neckbeard · · Score: 1

      Less than 15 'A' characters.

      --
      This is my signature. There are many like it, but this one is mine.
    4. Re:What would be a 10? by Spamalope · · Score: 1

      You have to pay for a support contract to get the fix for the security manufacturing defect? Wait, this should be a 10 shouldn't it?

  7. Thanks Carly by Gojira+Shipi-Taro · · Score: 0

    HP has been garbage since Carly Fiorino was running the place. Why anyone would do business with them at this point is beyond me.

    --
    "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  8. The Next Step by dohzer · · Score: 1

    This is great research! Have they tried "AAAAAAAAAAAAAAAAAAAAAAAAAAAAB" yet?

  9. understandable by cascadingstylesheet · · Score: 2

    "Nobody would ever think to type 'A' 29 times!!

    1. Re:understandable by CustomSolvers2 · · Score: 1

      Perhaps this is just one of the possible scenarios and it might even be not as straightforward as it seems (addition of the ASCII codes associated with the characters within certain range + over a given length + ...?), but the probability of anyone typing "A" 29 times in this or any other context is actually tremendously low.

      Purely speaking, the probability of typing this or any other string of that length is identical. By assuming that the target length is unknown, I could even say that the chances of typing that string or other one of almost any length are quite similar. On the other hand, people are more likely to prefer something like "aaaa" before "a1eb}" and, for that reason, a more variable set of characters might have been a bit tougher. In any case, it seems very curious that someone was able to find that "bug" with no previous knowledge (?).

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    2. Re: understandable by Anonymous Coward · · Score: 0

      Umm it's a standard fuzzing technique, it does not have to be As you can use any character or pattern. Step one is feed in a long input. If it crashes you try to run with a debugger attached and you see what memory got overwrote with your pattern. Now you look at the code around it and try to come up with something that will do something useful. If you can't attach a debugger usually you switch from As to NOPs followed by some shell code and hope the thing runs into it eventually and there is enough memory overwritten to hold your code

    3. Re: understandable by CustomSolvers2 · · Score: 1

      OK. But the number of potential combinations is still tremendously big and further information seems required. Just knowing that the given piece of software is probably buggy (= very valuable information) doesn't even seem enough. An automated approach trying every possible combination of characters up to 28 As would take really long.

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    4. Re: understandable by CustomSolvers2 · · Score: 1

      Sorry for my previous comment, I wrote it without properly reading yours. So, you are saying that the whole point here is the length of the input string? This bug was provoked because of not having properly sanitised the inputs even at their most basic level, by checking their lengths? That makes a bit more sense than checking all the possible combinations of characters, but it is still a quite relevant work without further information (i.e., doing it with every existing piece of software).

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
  10. This one isn't actually Carly's fault by Anonymous Coward · · Score: 0

    Because everybody else makes nigh-indistinguishable crap that is prone to the exact same problems.

    IMO the entire concept of "take peecee that assumes a person is in front at all times, then bolt on ever-more sophisticatedly polished turds to fake the presence of a human", starting with the compaq era keyboard faking plug, KVMs, IPKVMs, built-in IPKVMs with various names, and so on, is Broken As Designed.

    Mind that the rot spreak not just to iLOs but seeped into southbridges and onward, with intel's iME and AMD's SPS. Those are both vulnerable to this sort of thing too, and their problems tend to get already high yet still underrated severity labels.

    It's why Real Servers Are Headless. There aren't any of those to be had these days. Haven't seen any on offer for a long, long time, in fact. Keep all the vulnerable crap entirely out of the box and do the management over a simple serial connection. The peecee just can't do it, but Real Servers could. Add a multiport serial server to your rack full of servers and voila, uniform management by ssh. Add a gui to the serial server box if you must. But not to individual boxes as a backdoor, never on that scale. Compare, contrast, and conclude again that the entire concept for peecee-as-server management is utterly broken.

    Carly was a watershed moment, but the rot was in there from the beginning, built right into the minds of everyone who thought using peecees as servers was a good idea. So for this particular thing, you can't really blame Carly actually. However much blame she deserves for everything she did otherwise.

    1. Re:This one isn't actually Carly's fault by Anonymous Coward · · Score: 0

      The last time I was able to get into a ILO board it was over a dedicated line that had a temporary certificate attached.

      I was never able to get to the ILO board from the systems console except during the setup period with the servers. (At a job where it was my responsibility to take the hardware components out of the box, put the components in the chassis and load the standard image). Availability to get to the console was only available from a Boot CD where the OS loaded onto the disk drive was totally bypassed. The Use of ILO was limited to a few people with access or else it was used over the network to access the installed OS where we had unique Administrator logon controlled by corporate.

  11. Putting the A by AHuxley · · Score: 1

    in NSA Got to collect on it all.
    The A ind DEA
    The A in other Agency.
    So safe even the buddy system contractors can use it.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re: Putting the A by Anonymous Coward · · Score: 0

      Commiserations on your team being knocked out of the World Cup.

      Novichoks all round! Volodya's buying!

  12. Re:Programmers think about making things work righ by Anonymous Coward · · Score: 0

    Computing 101

    Code reviews have long been abolished.
    Only OpenBSD states what their code passes. Apparently commercial OS's are to catch up.
    Checking string lengths should have been fixed since windows NT 3.1 came out.
    Who checks function call return codes, or return codes after a data retrieval call?

    I believe HP sells code checking software - apparently they do not use it on their own code. Nuff said.

  13. obligatory Duckman by Anonymous Coward · · Score: 0

    aaaaaaaaaaaaaaaaaaaaaaaaaa-1 Plumbing

  14. Also affects iLO 5 prior to v1.30 by tokengeekgrrl · · Score: 1

    Once I saw that the latest version is iLO 5, I figured it had to be vulnerable to the same exploit as iLO 4 and sure enough:

    https://support.hpe.com/hpsc/d...

    "A security vulnerability in HPE Integrated Lights-Out 4, 5 (iLO 4 prior to v2.60, and iLO 5 prior to v1.30) could be remotely or locally exploited by an Administrative user to allow remote or local code execution."

  15. Dumb implementation if this is a problem by Guyle · · Score: 1

    If you're stupid enough to make your iLO connection directly publicly accessible and not secured behind a VPN or bastion server then you deserve to get pwned by whatever exploit comes your way. I will never understand why anyone would put an interface that is historically the weakest link out there where anyone can basically have console access to your hardware.

  16. Re:Trump is a traitor though, so this is peanuts. by Highdude702 · · Score: 1

    They sure picked the name right. They do a whole hell of a lot of huffing and puffing.

  17. Wiki entry by kriston · · Score: 1

    Wiki entry:
    http://uncyclopedia.wikia.com/...!

    --

    Kriston

  18. Spaceballs by Anonymous Coward · · Score: 0

    Well at least the secret passcode isn't "12345".

    https://www.youtube.com/watch?v=a6iW-8xPw3k