In February 2017, a team of French researchers discovered an amazingly simple exploit that would allow a threat actor to bypass authentication on servers using Hewlett Packard’s (HP) iLO4 server cards. The team, Alexandre Gazet from Airbus, Fabien Périgaud from Synacktiv, and independent researcher Joffrey Czarny recently presented their findings at the 2018 Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2018). They found that they could remotely access and exploit any iLO servers with online exposure using a very reductionist impersonation of Arthur Fonzarelli.
As reported by Bleeping Computer, exploiting the vulnerability is “as easy as it gets,” only “requiring a cURL request and 29 letter ‘A’ characters.” The flaw is very serious, receiving a severity score of 9.8 out of 10, as it is a remotely executed privilege elevation attack. Once exploited, a threat actor could easily pull cleartext passwords from memory, execute code, install malware, and alter the firmware.
Thankfully, the vulnerability (CVE-2017-12542) was patched by HP in August 2017, so those who stay on top of patching are already covered. However, you may want to double check as there are now published proof of concept exploits posted online. That means some malicious actors will start sniffing around for exposed servers to exploit.
For those who would continue to forego patching, keep in mind that cybercriminals will typically ramp up their efforts following the publication of a patched exploit, looking to capitalize on those who do not practice proper cyberhygiene.