You Can Bypass Authentication on HPE iLO4 Servers With 29 "A" Characters

Details and public exploit code have been published online for a severe vulnerability affecting Hewlett Packard Integrated Lights-Out 4 (HP iLO 4) servers.

HP iLO devices are extremely popular among small and large enterprises alike. iLO cards can be embedded in regular computers. They have a separate Ethernet network connection and run a proprietary embedded server management technology that provides out-of-band management features, allowing sysadmins to manage computers from afar.

iLO cards allow sysadmins to install firmware remotely, reset servers, provide access to a remote console, read logs, and more.

A vulnerability in iLO cards can be used to break into many companies' networks and possibly gain access to highly sensitive or proprietary information.

Stupid-simple exploit found in HP iLO4 servers

Last year, a trio of security researchers discovered such a vulnerability, which they say it can be exploited remotely, via an Internet connection, putting all iLO servers exposed online at risk.

The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware.

But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Researchers published two GIFs showing how easy is to bypass iLO authentication with their method, and how they were able to retrieve a local user's password in cleartext.

Because of its simplicity and remote exploitation factor, the vulnerability —tracked as CVE-2017-12542— has received a severity score of 9.8 out of 10.

Vulnerability patched last year

But iLO server owners don't need to panic. The security research team discovered this vulnerability way back in February 2017 and notified HP with the help of the CERT division at Airbus.

HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54. System administrators who're in the habit of regularly patching servers are most likely protected against this bug for months.

The vulnerability affects all HP iLO 4 servers running firmware version 2.53 and before. Other iLO generations, like iLO 5, iLO 3, and more are not affected.

PoCs available online

In the past few months, the research team has been presenting their findings at security conferences, such as ReCon Brussels and SSTIC 2018.

The SSTIC 2018 talk is available here, although the team presented their findings in French. Slides and an in-depth research paper —in English— are also available.

Since their presentations, the security community has produced proof-of-concept exploits that can leverage CVE-2017-12452 to gain access to HP iLO 4 servers and add a new administrator account. PoCs are available here and here, and a Metasploit module is available here.

The research team that discovered this vulnerability is comprised of Fabien Périgaud from Synacktiv, Alexandre Gazet from Airbus, and independent security researcher Joffrey Czarny.

The vulnerability discovered by the three is somewhat similar to the infamous "press Backspace 28 times to bypass the Linux login screen" bug that affected several Linux distros that were using the Grub2 bootloader.