While we have been focusing a lot on NAS crypto locking with DeadBolt and a recent wave of attacks, there was another one that came out at the end of 2021 targeting older versions of HP/HPE iLO. Specifically, a research team found a rootkit that can impact older generations of hardware using iLO 4 and earlier, and another researcher found over twenty thousand of these iLO 4 controllers connected directly to the Internet.
Outdated HPE iLO Interfaces Exposed to the Internet and Rootkits
Let us get into the two parts of this. First, let us discuss the rootkit briefly. Then, let us discuss the public scope of exposure on the Internet.
The iLO rootkit is called Implant.ARM.iLOBleed.a that was disclosed at the very end of 2021 (see here for reference.) We missed picking this one up since it was on December 28. The basic idea is that HP/ HPE iLO firmware can be altered and then the rootkit installed, leading to a persistent threat and attackers able to erase disks and more. This is specifically targeted at iLO 4 and below servers even the HPE Moonshot iLO like we are showing above. If you are on ProLiant Gen10 servers, then you likely have iLO 5 but G9 and older servers can be vulnerable. In newer servers, there is a much stronger concept of firmware security and secure boot that would likely prevent this type of attack.
As a quick aside, if you saw our AMD PSB Vendor Locks EPYC CPUs for Enhanced Security at a Cost and Lenovo Vendor Locking Ryzen-based Systems with AMD PSB pieces, this is one of the types of firmware attacks that that feature is designed to mitigate. Effectively, an attacker compromising firmware can get low-level access to the system.
Of course, the prerequisite to loading the firmware is getting access to the device. In our Basic BMC and IPMI Management Security Practices, we note a poor way to set up a server management BMC interface, on any server (not just HPE) is to have it directly accessible from the Internet.
A researcher at sans.edu, Jan Kopriva, used Shodan plus some clever favicon hashing to determine the number of iLO systems that follow the worst practice diagram above. Check out the full analysis here. The net result is that over 20,000 iLO BMCs are directly accessible via the Internet. Many of these, are also running out-of-date firmware. This is important because pre-iLO 2.5.3 firmware has an authentication bypass CVE scoring just shy of 10. There are also quite a few other vulnerabilities in iLO that, as one would expect, get patched regularly. That is a lot of potentially vulnerable systems.
Direct access to the public Internet, a well-known authentication bypass, and a persistent firmware rootkit on systems without the same level of platform security is not a good recipe for those operating servers.
As with our recent QNAP pieces, this is one of those areas where we are urging our readers to update iLO firmware. For many legacy systems, they may not have been updated to the latest firmware before support contracts ran out, so that can be challenging given HPE’s paywalled support model. We are also suggesting that our readers double-check that their iLO interfaces and BMC interfaces, in general, are not exposed to the public Internet. Attacks like these are one of the reasons platform firmware security has become such a hot topic. Even if you are not impacted by these, it is always good to set a reminder to keep firmware updated because we know that not all vulnerabilities are disclosed.