Remote Maintenance: Critical Vulnerabilities in HPE Integrated Lights-Out (iLO)

0
57
remote maintenance critical vulnerabilities in hpe integrated lights out ilo.jpg
remote maintenance critical vulnerabilities in hpe integrated lights out ilo.jpg

Remote management HPE Integrated Lights-Out enabled attackers to inject malicious code. Updated software fixes the bugs.

 

In the remote management Integrated Lights-Out 5 from Hewlett Packard Enterprises, attackers could have smuggled in and executed malicious code due to security gaps, some of which were critical. The company has provided updated software packages that seal the security leaks.

According to HPE, the vulnerabilities could also have led to the execution of smuggled code, device disablement (DoS), leakage of confidential information and unauthorized data modifications. The manufacturer does not give more details about the vulnerabilities, but estimates of the risk.

HPE classifies four of the vulnerabilities as critical (CVE-2022-28631 and CVE-2022-28632, each CVSS 9.6; CVE-2022-28627 and CVE-2022-28628, each CVSS 9.3risk “critical“). The first two vulnerabilities allow unprivileged users from adjacent networks to inject arbitrary code, the last two allow local users to do so.

Another seven vulnerabilities have the classification as high Risk with CVSS scores of 8.1 until 8.8 received, writes HPE in the security advisory. The vulnerabilities are sealed with firmware version HPE Integrated Lights-Out 5 (iLO 5) 2.71 or newer. Administrators can download the latest software from the HPE Support Center. There they have to enter the product name, select the appropriate one from the suggestions and find the version that matches the device on the “Drivers and Software” tab.

Since some of the security gaps are critical, administrators should act quickly and download and install the software promptly. Otherwise, they run the risk of the vulnerabilities being misused by attackers – earlier this year, security researchers discovered a rootkit that was able to establish itself in iLO.

SEE ALSO  WhatsApp is used as judicial evidence to condemn a debtor to pay 5,000 euros