iLOBleed vulnerability on HP Servers

A security research firm from Iran has detected a new vulnerability that seems to have a profound effect on the HP Proliant servers. The scope, extent, and impact of the security loophole on the HP servers make it a worrisome vulnerability, without any tangible fix. We look at some common questions in regard to the HP Servers vulnerability that has been called the iLOBleed vulnerability. And, we discuss the potential temporary fix and periodic remediation plan for this vulnerability. Left unattended or without periodic audits, iLOBleed could be a major disruptor for strategic assets.


What is the iLOBleed rootkit vulnerability on HP Servers?

iLO or Integrated Lights out is a management module that is made available on the HP Proliant servers for remote administration tasks. An administrator can use the iLO port to connect through iLO module and manage the HP servers. iLO port and iLO management module is an essential part of the HP server maintenance and upkeep. An attacker could access the iLO module and use it to deploy malicious payloads on the iLO module. The iLO module has its own firmware to drive the functioning of the server. A remote attacker could deploy malicious code that could have unhindered access to the HP Proliant servers that have been compromised. Access to the servers could be used to monitor the server content or to even steal data that could be of a critical nature. Once your server has been compromised, the unintended impact of such a compromise would go unnoticed until it assumes the size of a bigger breach or attack.

However, do note that you will need administrative privileges to deploy a payload on the iLO server. Or, you need access to the server through the iLO network port. Once a payload is deployed, it would need a regular scan or audit to find third party image of the payload on the server.

The problem with the iLOBleed vulnerability is that:

  • iLO management module has full access to the firmware, hardware, software, and operating system that is installed on the server.
  • the rootkit or malicious payload could be deployed by anyone with administrative access to the iLO servers.
  • anyone with access to the iLO port on the server could also use it to deploy any malicious payload. That payload integrates with the firmware to assume the form of a rootkit.
  • updating the firmware to the latest version on the iOL management module does not protect against the rootkit escape. An attacker could even downgrade the firmware to provide a safe gateway for the rootkit or any malicious code installation on the HP servers.
  • Once deployed on the HP servers, such rootkits or payloads are very hard to detect. So, they can sit unnoticed for an extended period of time. All this while, the server information and content could be accessed by the malicious users.

In the case of the recent iLOBleed rootkit, the security firm from Iran found a rootkit that had been deployed on the HP Proliant servers. It is difficult to fathom for how long the target had been compromised and if any private or Government data was leaked. But, the rootkit was programmed to wipe out the contents of the hard drive on a periodic basis. It could have been programmed to cause any other type of damage on the server or on the network to which the server was connected. It is unclear if this was programmed to delete hard drive data for the audit trail reasons. Or, possibly, to destroy critical data for the organization.

What HP Proliant servers are affected by iLOBleed rootkit vulnerability?

Since the iLO vulnerability involves planting a malicious rootkit on the iLO management module of the HP Proliant servers, all the HP Proliant servers are affected.

So, G2-G10 servers can be impacted by this rootkit threat. G10 servers can be configured to disable downgrades of the iLO firmware. If you can manage to disable the downgrades of the iLO firmware on G10 servers, you could protect against the deployment of the rootkits on the iLO management module.

For older servers, this rootkit could be deployed by an attacker. The attackers could also work in a covert operation and disable future firmware updates. The firmware update process will execute, but the actual firmware on the iLO module will remain unchanged and fully compromised.

What is the resolution of the iLOBleed rootkit vulnerability on HP Proliant servers?

Sadly, there is no magic fix for the challenges posed by the iLO management module. A combination of proactive security monitoring posture and a verifiable firmware update would be good starting points. A server administrator should focus on one or more of the following steps:

  • Run iLO scans to check for any known malicous payloads that could be found installed alongside the firmware on the iLO management module.
  • Perform a firmware update and verify it manually. The server administrator should be able to validate the firmware update completed successfully.
  • Tighten the server in terms of sharing administrative credentials with limited server administrators, who can be audited for a trail of actions performed on the server.
  • If possible, remove the network cable attached to the iLO port for direct access to the iLO management port on the HP Proliant servers.

Essentially, it is a proactive preventive security posture. Plus, periodic audit trails on the iLO management module should watch out for extraneous deployments.