Skip to the content.

DIVD-2021-00039 - HP iLO

Our reference DIVD-2021-00039
Case lead Victor Gevers
Author Patrick Hulshof
Researcher(s)
CVE(s)
Product HP iLO
Versions iLO4 and earlier versions used on HP servers.
Recommendation Update the iLO firmware version to the latest official release from HP
Patch status latest patch 2.79
Status Open
Last modified 15 Feb 2022 17:07

Summary

The rootkit name, iLOBleed, is based on the malware module Implant.ARM.iLOBleed.a discovered in the iLO firmware. This is the first known discovery of an iLO rootkit.

The attackers discreetly prevented firmware updates by simulating a fake upgrade process on the web UI. The attackers failed to use the latest UI image.

What iLO Versions and Servers are at Risk?

What you can do

What we are doing

We are scanning the internet for vulnerable servers, and will notify system owners via the listed abuse contacts.

Timeline

Date Description
28 Dec 2021 AmnPardaz reported about the vulnerability.
31 Dec 2021 DIVD starts OSINT research.
01 Jan 2022 DIVD starts scanning the internet for open iLO instances.
02 Jan 2022 DIVD starts with identifying owners.
07 Jan 2022 DIVD sent out a first batch of notifications.
15 Feb 2022 DIVD start rescan.
15 Feb 2022 DIVD sent out a second batch of notifications.
gantt title DIVD-2021-00039 - HP iLO dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00039 - HP iLO (still open) :2021-12-31, 2022-05-23 section Events AmnPardaz reported about the vulnerability. : milestone, 2021-12-28, 0d DIVD starts OSINT research. : milestone, 2021-12-31, 0d DIVD starts scanning the internet for open iLO instances. : milestone, 2022-01-01, 0d DIVD starts with identifying owners. : milestone, 2022-01-02, 0d DIVD sent out a first batch of notifications. : milestone, 2022-01-07, 0d DIVD start rescan. : milestone, 2022-02-15, 0d DIVD sent out a second batch of notifications. : milestone, 2022-02-15, 0d

More information