DIVD-2021-00039 - HP iLO
|Case lead||Victor Gevers|
|Versions||iLO4 and earlier versions used on HP servers.|
|Recommendation||Update the iLO firmware version to the latest official release from HP|
|Patch status||latest patch 2.79|
|Last modified||08 Dec 2022 16:28|
The rootkit name, iLOBleed, is based on the malware module Implant.ARM.iLOBleed.a discovered in the iLO firmware. This is the first known discovery of an iLO rootkit.
The attackers discreetly prevented firmware updates by simulating a fake upgrade process on the web UI. The attackers failed to use the latest UI image.
What iLO Versions and Servers are at Risk?
- iLO4 and earlier versions used on HP ProLiant servers.
- The latest iLO version can be downgraded and therefore are vulnerable too.
- The latest G10 series must have non-default setting (firmware downgrade prevention), otherwise it is possible to downgrade the firmware. The firmware downgrade prevention mechanism is not available for servers prior to G10.
What you can do
- Do not connect the iLO network interface to the operating network and implement a completely separate network.
- Periodically update the iLO firmware version to the latest official release from HP.
- Perform iLO security settings on HP servers, and disable downgrade for G10 servers. Use defense-in-depth strategies to reduce risk and detect intrusions before reaching the iLO.
- Multiple security firms are working on a iLO Scanner tool for periodically scan to detect potential vulnerabilities, malware and backdoors in the current version of the iLO firmware.
What we are doing
We are scanning the internet for vulnerable servers, and will notify system owners via the listed abuse contacts.
|28 Dec 2021||AmnPardaz reported about the vulnerability.|
|31 Dec 2021||DIVD starts OSINT research.|
|01 Jan 2022||DIVD starts scanning the internet for open iLO instances.|
|02 Jan 2022||DIVD starts with identifying owners.|
|07 Jan 2022||DIVD sent out a first batch of notifications.|
|15 Feb 2022||DIVD start rescan.|
|15 Feb 2022||DIVD sent out a second batch of notifications.|
|09 Mar 2022||After two rounds of notifications this case ends here for us.|