HP Security Bulletin - HP Integrated Lights-Out iLO3 and iLO4 using Single-Sign-On (SSO), Remote Unauthorized Access (HPSBHF02885)
HPSBHF02885 rev.2 - HP Integrated Lights-Out iLO3 and iLO4 using Single-Sign-On
(SSO), Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as
Release Date: 2013-06-11
Last Updated: 2013-06-17
Potential Security Impact: Remote unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team

A potential security vulnerability has been identified with HP Integrated Lights-Out
iLO3 and iLO4 using Single-Sign-On (SSO). The vulnerability could be remotely
exploited resulting in unauthorized access.

References: CVE-2013-2338 (SSRT101180)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Integrated Lights-Out 3 (iLO3) firmware versions prior to v1.57. 
HP Integrated Lights-Out 4 (iLO4) firmware versions prior to v1.22.

For a PGP signed version of this security bulletin please write to:

CVSS 2.0 Base Metrics

Reference; Base Vector; Base Score
CVE-2013-2338; (AV:N/AC:M/Au:N/C:C/I:C/A:C); 9.3

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
HP has made the following Firmware updates available to resolve the vulnerability.

The latest firmware and installation instructions are available from the HP Business
Support Center: http://www.hp.com/go/bizsupport

HP Integrated Lights-Out 4 (iLO4) Online ROM Flash Component for Linux and Windows
v1.22 or subsequent.

HP Integrated Lights-Out 3 (iLO3) Online ROM Flash Component for Linux and Windows
v1.57 or subsequent.

Note: Due to an unexpected delay in the iLO3 v1.57 firmware release, please use the
following temporary FTP site for downloading the update...

FTP System: ftp.usa.hp.com ( or

Login: ilo3_157 
Password: G!v3t2me

Note: login and password are CASE-sensitive.

Version:1 (rev.1) - 11 June 2013 Initial release 
Version:2 (rev.2) - 17 June 2013 Added temporary FTP access for the v1.57 update

Third Party Security Patches: Third party security patches that are to be installed
on systems running HP software products should be applied in accordance with the
customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin,
contact normal HP Services support channel. For other issues about the content of
this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported product,
send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts
via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive

Software Product Category: The Software Product Category is represented in the title
by the two characters following HPSB.

3C = 3COM 
3P = 3rd Party Software 
GN = HP General Software 
HF = HP Hardware and Firmware 
MP = MPE/iX 
MU = Multi-Platform Software 
NS = NonStop Servers 
OV = OpenVMS 
PI = Printing and Imaging 
PV = ProCurve 
ST = Storage Software 
TU = Tru64 UNIX 

System management and security procedures must be reviewed frequently to maintain
system integrity. HP is continually reviewing and enhancing the security features of
software products to provide customers with current secure solutions.


How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Sep 19th