Slashdot Mirror
Critical Bug Last Year Allowed Bypassing Authentication On HPE ILO4 Servers With 29 'A' Characters (bleepingcomputer.com)
Public exploit code has been published for a severe vulnerability which last year affected Hewlett Packard Integrated Lights-Out 4 (HP iLO 4), a tool for remotely managing the company's servers.
HPE "silently released" patches last August, an anonymous reader reports, adding "details only emerged this spring after researchers started presenting their work at security conferences." The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware. But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:
curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Because of its simplicity and remote exploitation factor, the vulnerability — tracked as CVE-2017-12542 — received a severity score of 9.8 out of 10.
HPE "silently released" patches last August, an anonymous reader reports, adding "details only emerged this spring after researchers started presenting their work at security conferences." The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware. But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:
curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Because of its simplicity and remote exploitation factor, the vulnerability — tracked as CVE-2017-12542 — received a severity score of 9.8 out of 10.
They used a shellcode exploit to return the contents of a file on the ILO processor that has the passwords in cleartext! They didn't publish that as far as I can see, but there is a published python program to add a new user with admin privileges and a password of your choice.
Bad HP! Go stand in the corner.
Is it just me or have HP servers been a bit flaky for the last 5 years or so?
The password is used directly as a shared secret for HMAC in IPMI. Therefore to support the ipmi protocol, the server must be able to know the plaintext of the password to a) prove to the client that they know the secret and b) to validate the HMAC sent by the client.
Another potentially tricky one is SNMP. It's a shared secret, but at least you can localize the key. Of course it is localized to an snmp engine id, so while you may not directly have the cleartext password, you can spoof a matching snmp engine id to use the localized key as if you knew the password, at least to impersonate an snmp agent.
Even on the TLS side of things, in practice things are not rosy because the vast majority of this class of devices have a self-signed cert, with all automation disabling cert validation and all users blindly clicked 'continue' at the warnings (there's no harsher message for "we have a conflicting stored cert" than "this is a self signed cert we haven't seen before")
XML is like violence. If it doesn't solve the problem, use more.