[Info-vax] HPE iLO CVE-2013-4786 updated: iLO vulnerable to brute-forcing
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Thu Feb 8 12:52:34 EST 2018
TL;DR: Protect your iLO LAN, and disable IPMI where possible.
This is an update to a previous security notice from 2014, adding
Superdome Flex RMC to the list of effected systems.
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04197764
"A potential security vulnerability has been identified in HPE
Integrated Lights-Out 2, 3, 4 (iLO2, iLO3, iLO4) and HPE Superdome Flex
RMC. The vulnerability could be exploited to allow an attacker to gain
unauthorized privileges and unauthorized access to privileged
information."
While this hits most systems with an iLO when IPMI is enabled, no
information on whether this effects Integrity is included in the
posting.
"There is no resolution to this issue. The authentication process for
the IPMI 2.0 specification mandates that the server send a salted SHA1
or MD5 hash of the requested user's password to the client, prior to
the client authenticating. The BMC returns the password hash for any
valid user account requested. This password hash can be broken using an
offline brute force or dictionary attack. Because this functionality is
a key part of the IPMI 2.0 specification, there is no way to fix the
problem without deviating from the IPMI 2.0 specification."
HPE is recommending disabling iLO IPMI if it's not in use, and using an
isolated management network or VLAN when IPMI is necessary and is in
use.
ps: Do not use message digests as password hashes. Use Argon2 or
equivalent or better; use a modern password hash. Message digests are
not suitable for use as password hashes, as message digests are
intentionally very fast and very efficient to calculate, which means
they're more efficient for folks to try to brute-force. Do not use
SHA-0, SHA-1, SHA-2, SHA-3, MD4, MD5 nor Purdy Polynomial as a password
hash. Do use SHA-2 or SHA-3 as a message digest, and do not use SHA-1
or earlier, nor use MD5 or earlier. Older digest hashes are subject to
collision attacks.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list